Abstract

Modern software applications are developed with increasing reliance on open-source software packages (i.e., dependencies). This dependence on open-source packages is highly beneficial to software development since it speeds up development tasks and improves software quality. However, it also has implications to the security of software applications. Dependencies with security vulnerabilities have the potential to expose hundreds of applications to security breaches, potentially causing huge financial and reputation damages. Hence, it is essential to build a solid understanding of the security health of software packages and how developers react once the vulnerabilities are found in the packages they depend on.

To this end, in this thesis, we conduct empirical studies that shed light on the security state of software packages from two aspects. In the first aspect, we study the lifecycle of security vulnerabilities in packages. We analyze how long it takes to discover and fix security vulnerabilities that affect software packages, to better evaluate the response of software ecosystems to security vulnerabilities. Once the vulnerability is discovered, it is also critical to mitigate its impact on software applications. Therefore, in the second aspect, we evaluate the effectiveness of existing mechanisms in mitigating the impact of package vulnerabilities. We assess the role of two popular mechanisms for tackling security vulnerabilities in software packages. The insights from our studies in this thesis can help researchers and practitioners better understand the security implications of adopting software packages. Also, leveraging our findings in the studies, we provide a series of implications that can help improve the process of discovering, fixing and managing package vulnerabilities. Finally, the implications of our work lead us to build several prototype tools to increase developers’ awareness to vulnerable packages that affect their projects and help them better plan the maintenance of their software packages from a security perspective.