FOSS is here to stay, displacing malevolent privative counterparts—great!
FOSS exposes bugs to be found and fixed by the community—great!
FOSS shows security issues than can be exploited by attackers—gr..what?
In the last decades, source code transparency has made the job of black-hat hackers increasingly easy. We now have security websites exposing vulnerabilities and even exploits online—and despite good practices like responsible disclosure, it is the sheer amount of (external) code what makes everyone ultimately vulnerable. In plain words, nobody’s safe.
From that base, this talk puts forward the need for a concept of *probability of future exploits*. This is crucial for project management, but also at developer level, to see the risks of not upgrading (or yes upgrading!) a dependency. We show how this probability can, and must, be computed from a project’s dependency tree, in a manner that only the use of FOSS can allow. We also show that the development history of the project and its dependencies is key to getting useful results.
Finally, we merge the dependency tree and development history of a project into a white-box model, which we use to estimate the probability of future exploits. We show how to do it for the Java-Maven environment, for which we can use the FOSS tool ‘FIG’. FIG, written in C++ and released under GPLv3, was designed for statistical estimations and can compute the probability of attacks in complex scenarios like the ones at hand.