An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications

This paper examines software vulnerabilities in common Python packages used particularly for web development. The empirical dataset is based on the PyPI package repository and the so-called Safety DB used to track vulnerabilities in selected packages within the repository. The methodological approach builds on a release-based time series analysis of the conditional probabilities for the releases of the packages to be vulnerable. According to the results, many of the Python vulnerabilities observed seem to be only modestly severe; input validation and cross-site scripting have been the most typical vulnerabilities. In terms of the time series analysis based on the release histories, only the recent past is observed to be relevant for statistical predictions; the classical Markov property holds.

[1]  Pentti Saikkonen,et al.  Predicting U.S. Recessions with Dynamic Binary Response Models , 2008, The Review of Economics and Statistics.

[2]  Vern Paxson,et al.  A Large-Scale Empirical Study of Security Patches , 2017, CCS.

[3]  Neil Shephard,et al.  Dynamics of Trade-by-Trade Price Movements: Decomposition and Models , 1999 .

[4]  K. Sivakumar,et al.  Constructing a "Common Cross Site Scripting Vulnerabilities Enumeration (CXE)" Using CWE and CVE , 2007, ICISS.

[5]  Jukka Ruohonen,et al.  A Look at the Time Delays in CVSS Vulnerability Scoring , 2018, Applied Computing and Informatics.

[6]  Schahram Dustdar,et al.  Smart Brix - a continuous evolution framework for container application deployments , 2016, PeerJ Comput. Sci..

[7]  Eleni Constantinou,et al.  On the Evolution of Technical Lag in the npm Package Dependency Network , 2018, 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[8]  Ville Leppänen,et al.  Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses , 2018, DEXA Workshops.

[9]  D. Cox The Regression Analysis of Binary Sequences , 2017 .

[10]  Fabio Massacci,et al.  Vulnerable open source dependencies: counting those that matter , 2018, ESEM.

[11]  Laurent Gallon,et al.  Vulnerability Discrimination Using CVSS Framework , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[12]  Ville Leppänen,et al.  How PHP Releases Are Adopted in the Wild? , 2017, 2017 24th Asia-Pacific Software Engineering Conference (APSEC).

[13]  Ville Leppänen,et al.  A case study on software vulnerability coordination , 2018, Inf. Softw. Technol..

[14]  Serena Elisa Ponta,et al.  Impact assessment for vulnerabilities in open-source software libraries , 2015, 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[15]  Ayse Basar Bener,et al.  Mining trends and patterns of software vulnerabilities , 2016, J. Syst. Softw..

[16]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[17]  Paulo Shakarian,et al.  Proactive identification of exploits in the wild through vulnerability mentions online , 2017, 2017 International Conference on Cyber Conflict (CyCon U.S.).

[18]  Eleni Constantinou,et al.  On the Impact of Security Vulnerabilities in the npm Package Dependency Network , 2018, 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR).

[19]  Fabio Massacci,et al.  Attack Potential in Impact and Complexity , 2017, ARES.

[20]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[21]  James Purtilo,et al.  Mining Security Vulnerabilities from Linux Distribution Metadata , 2014, 2014 IEEE International Symposium on Software Reliability Engineering Workshops.

[22]  Ghulam Rasool,et al.  Evolution Prediction and Process Support of OSS Studies: A Systematic Mapping , 2017 .