Biblio

Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package Index (PyPI). In total, over 197 thousand packages and over 749 thousand security issues are covered. Even under the constraints imposed by static analysis, (a) the results indicate prevalence of security issues; at least one issue is present for about 46% of the Python packages. In terms of the issue types, (b) exception handling and different code injections have been the most common issues. The subprocess module stands out in this regard. Reflecting the generally small size of the packages, (c) software size metrics do not predict well the amount of issues revealed through static analysis. With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems.

The endeavor to achieving software security consists of a set of risk-based security engineering processes during software development. In iterative software development, the software design typically evolves as the project matures, and the technical environment may undergo considerable changes. This increases the work load of identifying, assessing and managing the security risk by each iteration, and after every change. Besides security risk, the changes also accumulate technical debt, an allegory for postponed or sub-optimally performed work. To manage the security risk in software development efficiently, and in terms and definitions familiar to software development organizations, the concept of technical debt is extended to contain security debt. To accommodate new technical debt with potential security implications, a security debt management approach is introduced. The selected approach is an extension to portfolio-based technical debt management framework. This includes identifying security risk in technical debt, and also provides means to expose debt by security engineering techniques that would otherwise remained hidden. The proposed approach includes risk-based extensions to prioritization mechanisms in existing technical debt management systems. Identification, management and repayment techniques are presented to identify, assess, and mitigate the security debt.