Vulnerability diffusions in software product networks

IF 6.5 2区管理学 Q1 MANAGEMENT

Journal of Operations Management Pub Date : 2023-07-16 DOI:10.1002/joom.1270

Martin Kang, Gary Templeton, SungYong Um

引用次数: 0

Abstract

During software product development, the combination of digital resources (such as application programming interfaces and software development kits) establishes loose and tight edges between nodes, which form a software product network (SPN). These edges serve as observable conduits that may help practitioners and researchers better understand how vulnerabilities diffuse through SPNs. We apply network theory to analyze data from over 12 years of records extracted from the National Vulnerability Database. We contribute novel measures established using machine learning to gauge the properties influencing vulnerability diffusion within an SPN. We observed an SPN having a discernable shape that changed over time via network updates. We propose hypotheses and find empirical evidence that vulnerability diffusion is influenced by edge dynamics, developer responses, and their interaction. Implications for practice are that increased developer responses reduce software vulnerability diffusion attributed to edge dynamics.

查看原文本刊更多论文

软件产品网络中的漏洞扩散

在软件产品开发过程中，数字资源（如应用程序接口和软件开发工具包）的组合会在节点之间建立松紧边缘，从而形成软件产品网络（SPN）。这些边缘可以作为可观察的通道，帮助从业人员和研究人员更好地了解漏洞是如何通过 SPN 扩散的。我们运用网络理论分析了从国家漏洞数据库中提取的超过 12 年的记录数据。我们利用机器学习建立了新的测量方法，以衡量影响 SPN 内漏洞扩散的特性。我们观察到一个 SPN 具有可识别的形状，并随着时间的推移通过网络更新发生变化。我们提出假设并找到了经验证据，证明漏洞扩散受边缘动态、开发者响应及其相互作用的影响。对实践的启示是，开发人员响应的增加会减少边缘动态所导致的软件漏洞扩散。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Operations Management 管理科学-运筹学与管理科学

CiteScore

11.00

自引率

15.40%

发文量

审稿时长

24 months

期刊介绍： The Journal of Operations Management (JOM) is a leading academic publication dedicated to advancing the field of operations management (OM) through rigorous and original research. The journal's primary audience is the academic community, although it also values contributions that attract the interest of practitioners. However, it does not publish articles that are primarily aimed at practitioners, as academic relevance is a fundamental requirement. JOM focuses on the management aspects of various types of operations, including manufacturing, service, and supply chain operations. The journal's scope is broad, covering both profit-oriented and non-profit organizations. The core criterion for publication is that the research question must be centered around operations management, rather than merely using operations as a context. For instance, a study on charismatic leadership in a manufacturing setting would only be within JOM's scope if it directly relates to the management of operations; the mere setting of the study is not enough. Published papers in JOM are expected to address real-world operational questions and challenges. While not all research must be driven by practical concerns, there must be a credible link to practice that is considered from the outset of the research, not as an afterthought. Authors are cautioned against assuming that academic knowledge can be easily translated into practical applications without proper justification. JOM's articles are abstracted and indexed by several prestigious databases and services, including Engineering Information, Inc.; Executive Sciences Institute; INSPEC; International Abstracts in Operations Research; Cambridge Scientific Abstracts; SciSearch/Science Citation Index; CompuMath Citation Index; Current Contents/Engineering, Computing & Technology; Information Access Company; and Social Sciences Citation Index. This ensures that the journal's research is widely accessible and recognized within the academic and professional communities.