5. Recent Failures with PDNs
● Leftpad in 2016
● Equifax data breach in 2017
● Log4j in 2021
6. Issues with PDNs
● The update problem
● The compliance problem
● The deprecation problem
● The lack of incentive problem
7. Existing Solutions to the Issues of PDNs
● Services like GitHub, Dependabot
● Problems:
○ No support for assessing updates
○ No help with impact assessment
○ False positives
9. The FASTEN Project
● Fine-Grained Analysis of Software Ecosystems as Network
● Aims at solving the issues of PDNs by making package management robust and
intelligent
● A centralized service to host the graphs and serve the analyses
10. The FASTEN Solution
● More precise license compliance
○ Am I linking to GPL code?
● More precise risk profiling
○ Does this vulnerability affect my package?
● More precise change impact analysis
○ How many packages will I break if I change this function?
○ Can I safely update the dependencies of my package?
● Integration with package managers
11. Overview of the FASTEN Architecture
Data streams
Package repositories
Vulnerability information
FASTEN server
Call graph generators
Analysis layer
Security Change impact
Compliance Quality and Risk
Storage layer
REST
API
Web
UI
Continuous
Integration
servers
12. Examples of FASTEN Workflow
Update with confidence
Before FASTEN After FASTEN
13. Examples of FASTEN Workflow
Deciding to use a library
Before FASTEN After FASTEN