Print Email Facebook Twitter Vulnerability prealerting by monitoring the online repositories of open source projects Title Vulnerability prealerting by monitoring the online repositories of open source projects Author Westfalewicz, Andrzej (TU Delft Electrical Engineering, Mathematics and Computer Science; TU Delft Software Technology) Contributor Proksch, S. (mentor) Bruntink, Magiel (mentor) Degree granting institution Delft University of Technology Programme Computer Science Date 2023-01-13 Abstract Software security plays a crucial role in the modern world governed by software. And while closed source projects can enjoy a sense of confidentiality when addressing security issues, open source projects undertake them publicly even though just as many projects rely on them. In 50% of documented cases, the vulnerabilities could have been spotted almost 20 days before their disclosure leaving plenty of time for a potential attacker to exploit the weakness. Based on the results of a basic text search, we conclude that the majority of security-related activity is in reaction to known vulnerabilities and that maintainers are not always mentioning security terms when fixing exploits. We also confirm that many security-labeled issues are not pushed to vulnerability systems, even though the maintainers realize their security aspect. Then, while commit classification models can spot security-related commits automatically, the models struggle in realistic scenarios, and no particular feature or sampling method is vastly better than the others. Nonetheless, we evaluated the state-of-the-art models which spot security-related commits with an F1 score of 0.36. Given the findings, we conclude that security-related activity is hard to automatically distinguish from everyday development activity and that manual review is required to spot these traces. Proposed methods can make this review easier. We suggest that more attention should be given to open source security to avoid early public traces of vulnerabilities. Subject Open source softwareMachine LearningDeep LearningCommit representationSource code embeddingSoftware securitySoftware vulnerability analysisVulnerabilitiesSecurity advisoriesVulnerability Management To reference this document use: http://resolver.tudelft.nl/uuid:be08d8c2-4fd6-405b-8861-804985cbecd5 Part of collection Student theses Document type master thesis Rights © 2023 Andrzej Westfalewicz Files PDF Westfalewicz_MSc_thesis.pdf 3.37 MB Close viewer /islandora/object/uuid:be08d8c2-4fd6-405b-8861-804985cbecd5/datastream/OBJ/view