Characteristics and Trends of Zero-Day Vulnerabilities in Open-Source Code

Characteristics and Trends of Zero-Day Vulnerabilities in Open-Source Code

연구 분야: Strategies

학회: 2024 International Russian Automation Conference (RusAutoCon)

Open-source software libraries, tools and projects play an important role in the modern development domain. The widespread adoption of these components in modern information systems creates potential security vulnerabilities, especially zero-day vulnerabilities, which can be easily discovered and exploited because the source code is available to attackers. This study examines the need to manage security risks when using open-source components by analyzing trends and characteristics of reported zero-day vulnerabilities between 2014 and 2023. Using data from GitHub Advisory and the CVE Project, vulnerability trends and the languages they affect were analyzed, especially PHP, C/C++, and JavaScript/TypeScript, which lead in the number of reported vulnerabilities. The methodology uses data analysis tools such as Python, Jupyter Notebook, the Polars library for data processing, and Seaborn for visualization. The results show the prevalence of cross-site scripting (XSS) and buffer overflow vulnerabilities, highlighting the need to implement security practices in the open-source software ecosystem. A data set was generated with real examples of vulnerable code and the corresponding metadata. The study contributes to the understanding of open-source vulnerability trends and provides a dataset with vulnerable code. The defense will include a methodology for researching trends in software vulnerabilities, research results, and a dataset. It satisfies the following provisions of the specialty passport: Methods, models, and means of detection, identifying, classifying, and analyzing threats to the information security of objects of various types and classes, methods, models, and means of developing secure software, identifying security defects in it.