Hidden Risk of Unpopularity in Open Source (2021)

By Chujiao Ma & Vaibhav Garg, Comcast Cable

Software development across the industry relies on the use of open source components (OSCs). Because these components are open-sourced, there is an assumption that these components are tested for security by third party researchers or open source communities. A vulnerability in a popular component can have ripple effects across the ecosystem. Consequently, more popular components are more likely to attract the attention of third-party researchers or the community. Less popular components are thus often left unexamined and potentially vulnerable. In this paper we propose a model to identify OSCs that create the greatest attack surface. Specifically, we propose a metric called relative popularity ratio and use it to risk rank a set of JavaScript OSCs. We further refine the ranking using observable properties of code, such as number of lines of code. We then validate the efficacy of this metric by engaging third party university researchers to find vulnerabilities. Our results conclude that the hidden risk from unpopular OSCs is concentrated and can thus be addressed by small investments in the security analyses of OSCs.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Navigating the Transition to a Post-Quantum World
By Chujiao Ma & Vaibhav Garg, Comcast Cable
Key Learnings from Comcast’s Use of Open Source Software in the Access Network
By Louis Donofrio & Qin Zang, Comcast Cable; Vignesh Ramamurthy, Infosys Consulting
The Architecture of the Open-Source Remote Phy Device
By Alon Bernstein and Anlu Yan, Cisco Systems
Hitchhiker’s Guide to Quantum Key Distribution
By Vaibhav Garg & Tony Tauber, Comcast Cable; Walter Krawec, University of Connecticut; Pete Quesada, Comcast Innovation Labs; Aman Satija, Purdue University
Leveraging Open Source Browsers To Optimize Apps And UI
By Albert Dahan, Co-Founder and CTO, Metrological and Wouter van Boesschoten, VP of Technology and Innovation, Metrological
Network in A Box with Open Source EPC/HSS and Zero Touch Control
By Joerg Ahrweiler, Hany Heikal & Hossam Hmimy, Charter Communications
Two Years Of Deploying ITV/EBIF Applications – Comcast’s Lessons Learned
By Robert Dandrea, Ph.D., Comcast Cable
The Hidden Costs Of 400 MHz
By Archers. Taylor, P.E., Malarkey, Taylor & Associates, Inc.
Xml Schema Representing An EBIF Template Definition, Method For Auto-generating Schematic Instances From Original EBIF Source Code And Constraining Customized Instantiations Of The Resulting Template
By Mike McMahon and Lea Anne Dobbins, Comcast Media Center
Engineering Economics – DOCSIS 3.0 Channel Bonding For Improved Network Economics
By Amit Garg, James Moon, Comcast Corporation
More Results >>