Hidden Risk of Unpopularity in Open Source (2021)

By Chujiao Ma & Vaibhav Garg, Comcast Cable

Software development across the industry relies on the use of open source components (OSCs). Because these components are open-sourced, there is an assumption that these components are tested for security by third party researchers or open source communities. A vulnerability in a popular component can have ripple effects across the ecosystem. Consequently, more popular components are more likely to attract the attention of third-party researchers or the community. Less popular components are thus often left unexamined and potentially vulnerable. In this paper we propose a model to identify OSCs that create the greatest attack surface. Specifically, we propose a metric called relative popularity ratio and use it to risk rank a set of JavaScript OSCs. We further refine the ranking using observable properties of code, such as number of lines of code. We then validate the efficacy of this metric by engaging third party university researchers to find vulnerabilities. Our results conclude that the hidden risk from unpopular OSCs is concentrated and can thus be addressed by small investments in the security analyses of OSCs.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.

Similar Papers

Navigating the Transition to a Post-Quantum World
By Chujiao Ma & Vaibhav Garg, Comcast Cable
2021
Key Learnings from Comcast’s Use of Open Source Software in the Access Network
By Louis Donofrio & Qin Zang, Comcast Cable; Vignesh Ramamurthy, Infosys Consulting
2020
Open Source, a Mindset and How it Has Transformed Common Platform Enumeration Stack Software Development using Reference Design Kit
By Khem Raj, Comcast
2022
The Architecture of the Open-Source Remote Phy Device
By Alon Bernstein and Anlu Yan, Cisco Systems
2016
Hitchhiker’s Guide to Quantum Key Distribution
By Vaibhav Garg & Tony Tauber, Comcast Cable; Walter Krawec, University of Connecticut; Pete Quesada, Comcast Innovation Labs; Aman Satija, Purdue University
2021
A Supply Chain of Weak Links: Open Source Versus Proprietary Software Threat Analysis
By Brian A. Scriber, CableLabs
2023
Leveraging Open Source Browsers To Optimize Apps And UI
By Albert Dahan, Co-Founder and CTO, Metrological and Wouter van Boesschoten, VP of Technology and Innovation, Metrological
2016
Network in A Box with Open Source EPC/HSS and Zero Touch Control
By Joerg Ahrweiler, Hany Heikal & Hossam Hmimy, Charter Communications
2021
Photon Avatars in the Comcast Cosmos: An End-to-End View of Comcast Core, Metro and Access Networks
By Venk Mutalik, Steve Ruppa, Fred Bartholf, Bob Gaydos, Steve Surdam, Amarildo Vieira, Dan Rice; Comcast
2022
Two Years Of Deploying ITV/EBIF Applications – Comcast’s Lessons Learned
By Robert Dandrea, Ph.D., Comcast Cable
2010
More Results >>