Thesis topic:

Security Risk Susceptibility of Open Source Libraries

  • Supervisors: Kristiina Rahkema and Abasi-Amefon Obot Affia
    • contact:,
  • Using third-party libraries is common practice when developing software; package managers have made it easy to add third-party libraries as dependencies. However, many of today’s open-source products are shipped with several libraries having vulnerabilities with considerable security impact on the software project output. The relevance of this problem has been acknowledged by OWASP, which included “A06:2021-Vulnerable and Outdated Components” among the Top-10 security vulnerabilities in 2021. This category moved up from #9 in 2017 (A09:2017-Using Components with Known Vulnerabilities), to #6 in 2021, showing that it is a known issue that poses an issue with security tests and risk assessment. While typical patch management techniques are suggested to mitigate the security risk impact of vulnerable libraries, it does not allow for preemptive security risk management.
  • This study should analyse and categorise vulnerabilities in open-source libraries (and their programming languages) typically used in software projects. The analysis results can be used to estimate the inherent risks of using such functions/packages developed using the specified programming language. Risk estimation can be done by accounting for evidence mitigating actions, time-to-patch, number of contributors, the complexity of the programming language, and ease of applying patches.
  • References
  • 1. Turner, Stephen. "Security vulnerabilities of the top ten programming languages: C, Java, C++, Objective-C, C#, PHP, Visual Basic, Python, Perl, and Ruby." Journal of Technology Research 5 (2014): 1.
  • 2. Tsipenyuk, Katrina, Brian Chess, and Gary McGraw. "Seven pernicious kingdoms: A taxonomy of software security errors." IEEE Security & Privacy 3.6 (2005): 81-84.
  • 3. Rahkema, Kristiina, and Dietmar Pfahl. "Dataset: dependency networks of open source libraries available through CocoaPods, Carthage and Swift PM." Proceedings of the 19th International Conference on Mining Software Repositories. 2022.

<< back