Context <p>Security issues in Open-Source (OS) software systems emerge from everyday coding activities carried out by developers. As security best practices evolve toward “shift-left” paradigms—emphasizing early and continuous integration of security into the development process—understanding how these issues are introduced and fixed has become increasingly important.</p> Objective <p>Our primary goal is to study the spread and evolution of security issues that lie in the source code of OS Python software systems at commit level.</p> Method <p>We conducted a mining study in which we quantitatively analyzed the commit histories of 361 OS Python software systems, whose repositories were publicly available on <i>GitHub</i>, for a total of 380,931 commits analyzed. To identify security issues at the commit level, we used <i>SonarQube</i>, a popular and widely used both in academic and industrial contexts <i>Static Application Security Testing</i> (<i>SAST</i>) tool.</p> Results <p>We observed that security issues are spread in OS Python software systems (on average, there are about 14 security issues per commit) and tend to survive for 11 days and 14 commits. Critical security issues, despite their high severity level, are the most spread and tend to survive the most. Furthermore, we noticed that 55 kinds of security issues—belonging to 62 <i>OWASP Top 10</i> and <i>CWE</i> security classes—were introduced, and the top six (per number of introductions) are mostly critical and account for 77% of all introduced security issues.</p> Conclusions <p>Python developers need to give utmost importance to security issues, particularly critical ones. To that end, we can suggest developers that use secure coding practices, automated tools, or even <i>DevSecOps</i> to limit/avoid the introduction of security issues into their source code or fix them as soon as possible.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Security issues in python open-source software: a mining study from GitHub

  • Sabato Nocera,
  • Simone Romano,
  • Rita Francese,
  • Giuseppe Scanniello

摘要

Context

Security issues in Open-Source (OS) software systems emerge from everyday coding activities carried out by developers. As security best practices evolve toward “shift-left” paradigms—emphasizing early and continuous integration of security into the development process—understanding how these issues are introduced and fixed has become increasingly important.

Objective

Our primary goal is to study the spread and evolution of security issues that lie in the source code of OS Python software systems at commit level.

Method

We conducted a mining study in which we quantitatively analyzed the commit histories of 361 OS Python software systems, whose repositories were publicly available on GitHub, for a total of 380,931 commits analyzed. To identify security issues at the commit level, we used SonarQube, a popular and widely used both in academic and industrial contexts Static Application Security Testing (SAST) tool.

Results

We observed that security issues are spread in OS Python software systems (on average, there are about 14 security issues per commit) and tend to survive for 11 days and 14 commits. Critical security issues, despite their high severity level, are the most spread and tend to survive the most. Furthermore, we noticed that 55 kinds of security issues—belonging to 62 OWASP Top 10 and CWE security classes—were introduced, and the top six (per number of introductions) are mostly critical and account for 77% of all introduced security issues.

Conclusions

Python developers need to give utmost importance to security issues, particularly critical ones. To that end, we can suggest developers that use secure coding practices, automated tools, or even DevSecOps to limit/avoid the introduction of security issues into their source code or fix them as soon as possible.