서울대학교

안녕하세요,

데이터사이언스대학원에서 아래의 내용과 같이 BK21 x ERC 세미나를 개최하오니 여러분의 많은 관심과 참여를 부탁드립니다.

연사 정성균 교수님은 테네시 대학교, 하슬람 경영대학에서 Supply Chain Management 교수로 재직하고 계십니다.

교수님은 디지털 공급망, 사이버 보안 및 지속 가능한 운영과 관련된 공급망 관리에 대한 연구를 진행하고 계십니다.


< BK21 x ERC 세미나 정보 >
- 일시: 2024.3.22.(금) 오후 2:00 ~ 3:00
- 장소: 서울대학교 데이터사이언스대학원, 942동 302호
- 연사: 정성균 교수 (Assistant Professor at Haslam College of Business, University of Tennessee, Knoxville)
- 주제: Improving Software Supply Chain Security with Automation: Evidence from Dependabot

Abstract:
A newer but increasingly prevalent class of cyberattacks targets the software supply chain, which encompasses the components involved with software development. A major gateway for software supply chain attacks is by exploiting security vulnerabilities in external open-source components (i.e., dependencies). To address this, developers must promptly resolve each vulnerable dependency that their software uses (e.g., by updating the vulnerable version of the dependency to a patched version). In response to this challenge, automated dependency management tools have been recently released to help developers with the process of resolving vulnerable dependencies. We investigate how the adoption of one such tool called Dependabot improves the resolution speed of vulnerable dependencies. Through the analysis of 1,963,957 JavaScript open-source software packages, we identified 1,545,860 instances of vulnerable dependencies. Using survival analysis, our findings reveal that packages that adopt Dependabot exhibit a 3.258 times higher resolution hazard and, thus, are faster at resolving vulnerable dependencies. Notably, this effect is more pronounced for less visible dependencies and for vulnerabilities categorized at the lowest severity level. However, the impact of Dependabot adoption on the resolution of vulnerable dependencies is lower for more complex packages, suggesting that the tool is more effective when developers have fewer components to maintain. Our results provide implications for how developers can collaborate with automation tools to better manage their dependencies and underscore the value of automation for enhancing software supply chain security.