ProSVED (Projection of Security Vulnerabilities caused by Exploits in Dependencies) aims to forecast software vulnerabilities originating from security exploits in third-party libraries. In modern software projects, the code directly managed by developers, such as for security patches, represents only a small portion of the entire codebase. The majority resides in external dependencies, which pose significant security risks to the entire project. These risks can be mitigated through strategic update policies, but identifying optimal policies requires solving a complex prognosis problem: detecting the critical vulnerabilities hidden among vast amounts of third-party code.
ProSVED introduces an innovative approach to address this challenge, facilitating the selection of the most effective update policies to minimize security risks from external code. This project advances the field of software security analysis beyond traditional empirical methods into the realm of formal risk modeling for prediction and mitigation.
Estimating the quantity and severity of security vulnerabilities in code is crucial for software quality and control. While empirical methods are limited to detection, and traditional formal approaches rely on assumptions that don't hold in this context (such as the independence of codebases), Statistical Model Checking, though a relevant formal method, is often ineffective due to the rarity of significant events.
ProSVED presents a new formalism to accurately model the propagation of vulnerabilities from third-party libraries to the main codebase. This enables the development of a risk analysis theory to assess and optimize software-update policies for different codebases, significantly enhancing the ability to predict and mitigate security vulnerabilities.