FOSS is here to stay, displacing malevolent privative counterparts—great! FOSS exposes bugs to be found and fixed by the community—great! FOSS shows security issues than can be exploited by attackers—gr..what? In the last decades, source code transparency has made the job of black-hat hackers increasingly easy. We now have security websites exposing vulnerabilities and even exploits online—and despite good practices like responsible disclosure, it is the sheer amount of (external) code what makes everyone ultimately vulnerable. In plain words, nobody's safe. From that base, this talk puts forward the need for a concept of *probability of future exploits*. This is crucial for project management, but also at developer level, to see the risks of not upgrading (or yes upgrading!) a dependency. We show how this probability can, and must, be computed from a project's dependency tree, in a manner that only the use of FOSS can allow. We also show that the development history of the project and its dependencies is key to getting useful results. Finally, we merge the dependency tree and development history of a project into a white-box model, which we use to estimate the probability of future exploits. We show how to do it for the Java-Maven environment, for which we can use the FOSS tool 'FIG'. FIG, written in C++ and released under GPLv3, was designed for statistical estimations and can compute the probability of attacks in complex scenarios like the ones at hand.

1. >>> Predict security attacks in FOSS
>>> Why you want it and how to do it
Name: Carlos E. Budde
Inst: University of Trento, Italy
Date: 10th November 2023
[~]$ _ [1/9]

2. [1. Motif]$ _ [2/9]

3. [1. Motif]$ _ [2/9]

4. is FOSS...
[1. Motif]$ _ [2/9]

5. is FOSS...
or uses FOSS
[1. Motif]$ _ [2/9]

6. is FOSS...
or uses FOSS
Free
Open-Sou
[1. Motif]$ _ [2/9]

7. #CVEs published per year
Source: https://cve.mitre.org/data/downloads/allitems.csv.Z
[1. Motif]$ _ [3/9]

8. 2020
2018 2019 2020
2019
0%
20%
40%
60%
80%
100%
… using open source so�tware
… with 1 or more vulnerabilities
… with high-risk vulnerabilities
Codebases …
Open-source so�tware and vulnerabilities
Source: https://www.synopsys.com/software-integrity/engage/ossra/rep-ossra-2023-pdf
[1. Motif]$ _ [3/9]

9. 2020
2018 2019 2020
2019
0%
20%
40%
60%
80%
100%
… using open source so�tware
… with 1 or more vulnerabilities
… with high-risk vulnerabilities
Codebases …
Open-source so�tware and vulnerabilities
Source: https://www.synopsys.com/software-integrity/engage/ossra/rep-ossra-2023-pdf
[1. Motif]$ _ [3/9]

10. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
[1. Motif]$ _ [4/9]

11. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
Dependency tree of Redisson v3.19.0
[1. Motif]$ _ [4/9]

12. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
Dependency tree of Redisson v3.19.0
[1. Motif]$ _ [4/9]

13. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
Dependency tree of Redisson v3.19.0
[1. Motif]$ _ [4/9]

14. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
Dependency tree of Redisson v3.19.0
[1. Motif]$ _ [4/9]

15. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
Dependency tree of Redisson v3.19.0
[1. Motif]$ _ [4/9]

16. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
Dependency tree of Redisson v3.19.0
[1. Motif]$ _ [4/9]

17. >>> Vulnerabilities in dependency tree
$ mvn dependency:tree
[INFO] Scanning for projects...
.
.
.
[INFO]
[INFO] -----------------------< org.redisson:redisson >------------------------
[INFO] Building Redisson 3.19.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ redisson ---
[INFO] org.redisson:redisson:jar:3.19.0
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:provided
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | - io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:provided
[INFO] | - io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:provided
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
.
.
.
Dependency tree of Redisson v3.19.0
[1. Motif]$ _ [4/9]

18. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa
io.netty:netty-codec
4.1.79
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
[2. Da problem]$ _ [5/9]

19. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
[2. Da problem]$ _ [5/9]

20. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
[2. Da problem]$ _ [5/9]

21. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
[2. Da problem]$ _ [5/9]

22. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
[2. Da problem]$ _ [5/9]

23. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
[2. Da problem]$ _ [5/9]

24. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
[2. Da problem]$ _ [5/9]

25. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
[2. Da problem]$ _ [5/9]

26. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
Forced
MOVE
Wrong
MOVE
Correct
STAY
Correct
MOVE
Correct
STAY
[2. Da problem]$ _ [5/9]

27. >>> Software’s vulnerable lifecycle
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
ℓa
3.17.7
? ? ? ?
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
Is there a best time to update?
[2. Da problem]$ _ [5/9]

28. >>> Idea: fit CVE disclosure time
[3. Proposal]$ _ [6/9]

29. >>> Idea: fit CVE disclosure time
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
[3. Proposal]$ _ [6/9]

30. >>> Idea: fit CVE disclosure time
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
[3. Proposal]$ _ [6/9]

31. >>> Idea: fit CVE disclosure time
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
[3. Proposal]$ _ [6/9]

32. >>> Idea: fit CVE disclosure time
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
[3. Proposal]$ _ [6/9]

33. >>> Idea: fit CVE disclosure time
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
[3. Proposal]$ _ [6/9]

34. >>> Idea: fit CVE disclosure time
org.redisson:redisson
3.17.5
ℓa ℓa
3.17.6
3.17.5
ℓa
ℓa
3.17.7
ℓa
3.18.0
ℓa
3.18.1
ℓa
3.17.7
ℓa
3.19.0
io.netty:netty-codec
4.1.79
ℓd
4.1.80
ℓd
4.1.81
ℓd
4.1.82
ℓd
4.1.83
ℓd
4.1.84
ℓd
4.1.85
ℓd
4.1.86
ℓd
Sep'22
Aug'22
Jul'22 Dec'22
Oct'22 Nov'22 time
CVE-2022-41915 disclosed!
affects netty [4.1.83, 4.1.86)
Time since lib. release
Probability
of
CVE
public.
1M 2M 3M 4M ...
[3. Proposal]$ _ [6/9]

35. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
[4. Challenges]$ _ [7/9]

36. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
[4. Challenges]$ _ [7/9]

37. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
[4. Challenges]$ _ [7/9]

38. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
[4. Challenges]$ _ [7/9]

39. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
[4. Challenges]$ _ [7/9]

40. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
[4. Challenges]$ _ [7/9]

41. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
[4. Challenges]$ _ [7/9]

42. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
[4. Challenges]$ _ [7/9]

43. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
Features used to partition data,
not to predict vulnerabilities
[4. Challenges]$ _ [7/9]

44. >>> Preliminary outcomes
Time from release date of library to publication date of CVE
Probability
of
CVE
in
own_code
of
library
Small/Medium Large
Local
Remote
network
[5. Results]$ _ [8/9]

45. >>> Predict security attacks in FOSS
>>> Why you want it and how to do it
Name: Carlos E. Budde†
Inst: University of Trento, Italy
https://vuass.eu.qualtrics.com/
jfe/form/SV_cFSKOHjHZnaH2Si
Ethical
security
survey
—
Vrije
Universiteit
Amsterdam
†
carlosesteban.budde@unitn.it
[~]$ _ [9/9]