Abstract

Software vulnerabilities are a well-known problem in current software projects. The situation becomes even more complicated, due to the ever-increasing complexity of the interconnections between both commercial and free open-source software (FOSS) projects. In this dissertation, we are aiming to facilitate the security assessment process in an industrial context. We start from the level of the own code of an individual software project, for which we propose a differential benchmarking approach for automatic assessment of static analysis security testing tools. We have demonstrated this approach, using 70 revisions of four major versions of Apache Tomcat with 62 distinct vulnerability fixes as a ground-truth set to test 7 tools. Since modern software projects often import functionality via software dependencies, that can also introduce vulnerabilities into the dependent project, we propose a methodology for counting actually vulnerable dependencies. We have evaluated the methodology on the set of 200 most used industry-relevant FOSS libraries, that resulted in 10905 distinct library instances when considering all the library versions. Finally, we have investigated the situation on the level of the FOSS ecosystem. Here we have studied decision-making strategies of developers for selecting and updating dependencies, as well as the influence of security concerns on the developers' decisions from quantitative and qualitative perspectives. For the qualitative study we have run 15 semi-structured interviews with software developers from 15 companies located in 7 countries.