User Tools

Site Tools


vulnerability_discovery_models

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

vulnerability_discovery_models [2018/08/31 10:58]
ivan.pashchenko@unitn.it
vulnerability_discovery_models [2018/08/31 11:29] (current)
ivan.pashchenko@unitn.it Added paper from WEIS
Line 29: Line 29:
  
 Do you want to check if your project actually uses some vulnerable dependencies? Let us know. Do you want to check if your project actually uses some vulnerable dependencies? Let us know.
 +
  
 ===== A Screening Test for Disclosed Vulnerabilities in FOSS Components ===== ===== A Screening Test for Disclosed Vulnerabilities in FOSS Components =====
Line 44: Line 45:
  
 If you are interested in getting the code for the analysis please let us know. If you are interested in getting the code for the analysis please let us know.
 +
 +
 +===== Effort of security maintenance of FOSS components ===== 
 +
 +In our paper we investigated publicly available factors (from number of active users to commits, from code size to usage of popular programming languages, etc.) to identify which ones impact three potential effort models: Centralized (the company checks each component and propagates changes to the product groups), Distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and Hybrid (seldom used components are checked individually by each development team, the rest is centralized).
 +
 +We use Grounded Theory to extract the factors from a six months study at the vendor and report the results on a sample of 152 FOSS components used by the vendor.
  
 ===== Which static analyzer performs best on a particular FOSS project? ===== ===== Which static analyzer performs best on a particular FOSS project? =====
vulnerability_discovery_models.txt ยท Last modified: 2018/08/31 11:29 by ivan.pashchenko@unitn.it