Explore the vast range of titles available.

With the rapid growth of the software industry, the software supply chain (SSC) has become the most intricate system in the complete software life cycle, and the security threat situation is becoming increasingly severe. For the description of the SSC, the relevant research mainly focuses on the perspective of developers, lacking a comprehensive understanding of the SSC. This paper proposes a chain portrait framework of the SSC based on a resource perspective, which comprehensively depicts the threat model and threat surface indicator system of the SSC. The portrait model includes an SSC threat model and an SSC threat indicator matrix. The threat model has 3 levels and 32 dimensions and is based on a generative artificial intelligence model. The threat indicator matrix is constructed using the Attack Net model comprising 14-dimensional attack strategies and 113-dimensional attack techniques. The proposed portrait model’s effectiveness is verified through existing SSC security events, domain experts, and event visualization based on security analysis models.

One of the most universal trends in science and technology today is the growth of large teams in all areas, as solitary researchers and small teams diminish in prevalence 1 – 3 . Increases in team size have been attributed to the specialization of scientific activities 3 , improvements in communication technology 4 , 5 , or the complexity of modern problems that require interdisciplinary solutions 6 – 8 . This shift in team size raises the question of whether and how the character of the science and technology produced by large teams differs from that of small teams. Here we analyse more than 65 million papers, patents and software products that span the period 1954–2014, and demonstrate that across this period smaller teams have tended to disrupt science and technology with new ideas and opportunities, whereas larger teams have tended to develop existing ones. Work from larger teams builds on more-recent and popular developments, and attention to their work comes immediately. By contrast, contributions by smaller teams search more deeply into the past, are viewed as disruptive to science and technology and succeed further into the future—if at all. Observed differences between small and large teams are magnified for higher-impact work, with small teams known for disruptive work and large teams for developing work. Differences in topic and research design account for a small part of the relationship between team size and disruption; most of the effect occurs at the level of the individual, as people move between smaller and larger teams. These results demonstrate that both small and large teams are essential to a flourishing ecology of science and technology, and suggest that, to achieve this, science policies should aim to support a diversity of team sizes. Analyses of the output produced by large versus small teams of researchers and innovators demonstrate that their work differs systematically in the extent to which it disrupts or develops existing science and technology.

本文是首篇对开源密码软件供应链安全问题进行调研、分析和总结的综述文章. 首先, 通过梳理和分析关于开源软件供应链、加密算法等相关领域文献, 探讨了开源软件供应链与开源密码软件供应链的差异, 明确了开源密码软件供应链的研究范围; 其次, 以密码软件供应链典型安全事件作为切入点, 构建了开源密码软件供应链风险模型; 再次, 针对梳理出来的各类安全风险, 横向参考了实体供应链风险管理成熟案例以及开源密码软件的风险应对措施, 总结了开源密码软件供应链的安全风险防控手段. 最后, 指出了开源密码软件供应链领域所面临的挑战和机遇, 并指出了未来的研究方向.

Open source software (OSS) is essential for modern society and, while substantial research has been done on individual (typically central) projects, only a limited understanding of the periphery of the entire OSS ecosystem exists. For example, how are the tens of millions of projects in the periphery interconnected through technical dependencies, code sharing, or knowledge flow? To answer such questions we: a) create a very large and frequently updated collection of version control data in the entire FLOSS ecosystems named World of Code (WoC), that can completely cross-reference authors, projects, commits, blobs, dependencies, and history of the FLOSS ecosystems and b) provide capabilities to efficiently correct, augment, query, and analyze that data. Our current WoC implementation is capable of being updated on a monthly basis and contains over 18B Git objects. To evaluate its research potential and to create vignettes for its usage, we employ WoC in conducting several research tasks. In particular, we find that it is capable of supporting trend evaluation, ecosystem measurement, and the determination of package usage. We expect WoC to spur investigation into global properties of OSS development leading to increased resiliency of the entire OSS ecosystem. Our infrastructure facilitates the discovery of key technical dependencies, code flow, and social networks that provide the basis to determine the structure and evolution of the relationships that drive FLOSS activities and innovation.

By centralizing many of the tasks associated with the upkeep of scientific software, SBGrid allows researchers to spend more of their time on research.By centralizing many of the tasks associated with the upkeep of scientific software, SBGrid allows researchers to spend more of their time on research.

Modern software development is a complex engineering process where developer code cohabits with an increasingly larger number of external open-source components. Even though these components facilitate sharing and reusing code along with other benefits related to maintenance and code quality, they are often the seeds of vulnerabilities in the software supply chain leading to attacks with severe consequences. Indeed, one common strategy used to conduct attacks is to exploit or inject other security flaws in new versions of dependency packages. It is thus important to keep dependencies updated in a software development project. Unfortunately, several prior studies have highlighted that, to a large extent, developers struggle to keep track of the dependency package updates, and do not quickly incorporate security patches. Therefore, automated dependency-update bots have been proposed to mitigate the impact and the emergence of vulnerabilities in open-source projects. In our study, we focus on Dependabot, a dependency management bot that has gained popularity on GitHub recently. It allows developers to keep a lookout on project dependencies and reduce the effort of monitoring the safety of the software supply chain. We performed a large empirical study on dependency updates and security pull requests to understand: (1) the degree and reasons of Dependabot’s popularity; (2) the patterns of developers’ practices and techniques to deal with vulnerabilities in dependencies; (3) the management of security pull requests (PRs), the threat lifetime, and the fix delay; and (4) the factors that significantly correlate with the acceptance of security PRs and fast merges. To that end, we collected a dataset of 9,916,318 pull request-related issues made in 1,743,035 projects on GitHub for more than 10 different programming languages. In addition to the comprehensive quantitative analysis, we performed a manual qualitative analysis on a representative sample of the dataset, and we substantiated our findings by sending a survey to developers that use dependency management tools. Our study shows that Dependabot dominates more than 65% of dependency management activity, mainly due to its efficiency, accessibility, adaptivity, and availability of support. We also found that developers handle dependency vulnerabilities differently, but mainly rely on the automation of PRs generation to upgrade vulnerable dependencies. Interestingly, Dependabot’s and developers’ security PRs are highly accepted, and the automation allows to accelerate their management, so that fixes are applied in less than one day. However, the threat of dependency vulnerabilities remains hidden for 512 days on average, and patches are disclosed after 362 days due to the reliance on the manual effort of security experts. Also, project characteristics, the amount of PR changes, as well as developer and dependency features seem to be highly correlated with the acceptance and fast merges of security PRs.

It’s not enough to write high-quality programs. If you want to make your apps public — and usable — you should also follow these steps. It’s not enough to write high-quality programs. If you want to make your apps public — and usable — you should also follow these steps.

Context Due to the dependency relations among software, vulnerabilities in software supply chains (SSC) may cause more serious security threats than independent software systems. This poses new challenges for ensuring software security including the spread of risks and the increase in maintenance costs. Objective To address the challenges, there needs a deep understanding of how a vulnerability is in SSC in terms of vulnerability source, propagation, localization, and repair. However, no studies have been conducted specifically for this purpose. Method To fill this gap, we provide an experience study of real-world vulnerability characteristics in the context of SSCs. Specifically, we examine the vulnerability source first and further study the fine-grained vulnerability propagation, localization, and repair of libraries and their corresponding client programs. Results The key findings are summarized as follows: a) 99% of vulnerabilities in client programs are caused by their dependencies, and 81.26% of SSC vulnerabilities detected by package-level analysis are false positives; b) for vulnerability localization, the vulnerability database does not have enough information to help direct localization, but the vulnerability descriptions in the open-source vulnerability database provide much important information for indirect localization. c) client developers deal with vulnerable dependencies in many ways including upgrading dependencies, modifying client code, and deleting relevant code or vulnerable dependencies. Conclusions Based on these observations, we make suggestions for future research in this direction: a) when testing important client programs, vulnerability detection tools should pay attention to both client code and the dependent libraries; b) localizing vulnerability based on vulnerability descriptions is not straightforward, hence a proper combination of program analysis and description analysis is expected to improve localization accuracy; c) there can be various strategies for dealing with vulnerable libraries, and automating the enforcement of those strategies will be expected.

How workflow tools can make your computational methods portable, maintainable, reproducible and shareable. How workflow tools can make your computational methods portable, maintainable, reproducible and shareable.