Login | Register

Assessing and Enhancing the Security of Software Packages


Assessing and Enhancing the Security of Software Packages

Alfadel, Mahmoud (2021) Assessing and Enhancing the Security of Software Packages. PhD thesis, Concordia University.

[thumbnail of Alfadel_PhD_S2022.pdf]
Text (application/pdf)
Alfadel_PhD_S2022.pdf - Accepted Version


Modern software applications are developed with increasing reliance on open-source software packages (i.e., dependencies). This dependence on open-source packages is highly beneficial to software development since it speeds up development tasks and improves software quality. However, it also has implications to the security of software applications. Dependencies with security vulnerabilities have the potential to expose hundreds of applications to security breaches, potentially causing huge financial and reputation damages. Hence, it is essential to build a solid understanding of the security health of software packages and how developers react once the vulnerabilities are found in the packages they depend on.

To this end, in this thesis, we conduct empirical studies that shed light on the security state of software packages from two aspects. In the first aspect, we study the lifecycle of security vulnerabilities in packages. We analyze how long it takes to discover and fix security vulnerabilities that affect software packages, to better evaluate the response of software ecosystems to security vulnerabilities. Once the vulnerability is discovered, it is also critical to mitigate its impact on software applications. Therefore, in the second aspect, we evaluate the effectiveness of existing mechanisms in mitigating the impact of package vulnerabilities. We assess the role of two popular mechanisms for tackling security vulnerabilities in software packages. The insights from our studies in this thesis can help researchers and practitioners better understand the security implications of adopting software packages. Also, leveraging our findings in the studies, we provide a series of implications that can help improve the process of discovering, fixing and managing package vulnerabilities. Finally, the implications of our work lead us to build several prototype tools to increase developers’ awareness to vulnerable packages that affect their projects and help them better plan the maintenance of their software packages from a security perspective.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Computer Science and Software Engineering
Item Type:Thesis (PhD)
Authors:Alfadel, Mahmoud
Institution:Concordia University
Degree Name:Ph. D.
Program:Software Engineering
Date:7 December 2021
Thesis Supervisor(s):Shihab, Emad
ID Code:989984
Deposited By: Mahmoud Alfadel
Deposited On:16 Jun 2022 15:09
Last Modified:16 Jun 2022 15:09
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top