News

일시: 2024.3.22.(금) 오후 2:00 ~ 3:00

장소: 서울대학교 데이터사이언스대학원, 942동 302호

연사: 정성균 교수 (Assistant Professor at Haslam College of Business, University of Tennessee, Knoxville)

주제: Improving Software Supply Chain Security with Automation: Evidence from Dependabot

Abstract: 

A newer but increasingly prevalent class of cyberattacks targets the software supply chain, which encompasses the components involved with software development. A major gateway for software supply chain attacks is by exploiting security vulnerabilities in external open-source components (i.e., dependencies). To address this, developers must promptly resolve each vulnerable dependency that their software uses (e.g., by updating the vulnerable version of the dependency to a patched version). In response to this challenge, automated dependency management tools have been recently released to help developers with the process of resolving vulnerable dependencies. We investigate how the adoption of one such tool called Dependabot improves the resolution speed of vulnerable dependencies. Through the analysis of 1,963,957 JavaScript open-source software packages, we identified 1,545,860 instances of vulnerable dependencies. Using survival analysis, our findings reveal that packages that adopt Dependabot exhibit a 3.258 times higher resolution hazard and, thus, are faster at resolving vulnerable dependencies. Notably, this effect is more pronounced for less visible dependencies and for vulnerabilities categorized at the lowest severity level. However, the impact of Dependabot adoption on the resolution of vulnerable dependencies is lower for more complex packages, suggesting that the tool is more effective when developers have fewer components to maintain. Our results provide implications for how developers can collaborate with automation tools to better manage their dependencies and underscore the value of automation for enhancing software supply chain security.