Vulnerability Management of Open-Source Libraries
2023 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE credits
Student thesis
Abstract [en]
Background: The proliferation of using open-source libraries in software development has brought numerous benefits, including access to a wide range of reusable code and collaborating with a global community of developers. However, this increased reliance on third-party code also introduces new security risks in the form of vulnerabilities that malicious actors can exploit. Vulnerability management, the process of identifying, Accessing, and mitigating vulnerabilities, is crucial in ensuring the security and reliability of open-source libraries.
Objectives: This thesis aims to investigate the vulnerability management process of open-source libraries used by an organization and compare it with what is suggested in the literature.
Methods: This study uses Rapid reviews to understand the vulnerability management process mentioned in the literature and a case study to investigate the vulnerability management process in the organization.
Results. This study’s results indicate many similarities in the organization’s process and literature suggestions. The organization uses a tool to identify, assess, and migrate to the latest stable version to mitigate the vulnerabilities. There are a few differences in the process compared with literature suggestions. Literature suggests anticipating threats, estimating migration efforts, assessing reachability, and integrating SCA(Software Composition Analysis) tools in the development workflow. The vulnerability management process requires constant attention and effort as new vulnerabilities are discovered daily. The interviews with the developers discovered challenges faced in the process.
Conclusions. The results of our study indicate that the practices and suggestions in the literature may not be suitable for every organization. Every organization has its own set of requirements and restraints, which must be considered while implementing any practices. The differences and challenges identified in this study are potential improvement areas.
Place, publisher, year, edition, pages
2023. , p. 70
Keywords [en]
vulnerability management, software security, open-source software.
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-24333OAI: oai:DiVA.org:bth-24333DiVA, id: diva2:1741037
Subject / course
PA2534 Master's Thesis (120 credits) in Software Engineering
Educational program
PAADA Master Qualification Plan in Software Engineering 120,0 hp
Supervisors
Examiners
2023-03-022023-03-022023-03-02Bibliographically approved