Zobrazit v EDS

Dependency Network Structure and Security Vulnerabilities in Software Supply Chains.

Uloženo v:
Podrobná bibliografie
Název: Dependency Network Structure and Security Vulnerabilities in Software Supply Chains.
Autoři: Yoo, Eunae1 (AUTHOR) yooeun@iu.edu, Craighead, Christopher W.2 (AUTHOR) craighead@utk.edu, Samtani, Sagar3 (AUTHOR) ssamtani@iu.edu
Zdroj: Journal of Management Information Systems. 2025, Vol. 42 Issue 4, p1149-1176. 28p.
Témata: *COMPUTER security vulnerabilities, *SUPPLY chains, *STATISTICAL correlation, *COMPUTER software developers, COMPUTATIONAL complexity
Abstrakt: Software packages can be susceptible to attack whenever they utilize dependencies containing security vulnerabilities (vulnerable dependencies). We theorize that the likelihood of relying on vulnerable dependencies is heightened by two structural dimensions of dependency networks: complexity (dependency count) and tight coupling (interdependence). Analyzing 40,049 packages, we find that complexity is positively associated with this likelihood and that vertical complexity (depth) plays a more prominent role than horizontal complexity (breadth). However, tight coupling is negatively associated with the likelihood of vulnerable dependencies. Further analyses reveal that this relationship turns positive with greater complexity but becomes more strongly negative as the number of package developers and the average number of developers per dependency increase. Our findings identify key boundary conditions under which tight coupling may be beneficial and offer a nuanced understanding of how dependency network structure influences the security of dependencies and, more broadly, the security of software supply chains. [ABSTRACT FROM AUTHOR]
Copyright of Journal of Management Information Systems is the property of Taylor & Francis Ltd and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Databáze: Business Source Index
Popis
Abstrakt:Software packages can be susceptible to attack whenever they utilize dependencies containing security vulnerabilities (vulnerable dependencies). We theorize that the likelihood of relying on vulnerable dependencies is heightened by two structural dimensions of dependency networks: complexity (dependency count) and tight coupling (interdependence). Analyzing 40,049 packages, we find that complexity is positively associated with this likelihood and that vertical complexity (depth) plays a more prominent role than horizontal complexity (breadth). However, tight coupling is negatively associated with the likelihood of vulnerable dependencies. Further analyses reveal that this relationship turns positive with greater complexity but becomes more strongly negative as the number of package developers and the average number of developers per dependency increase. Our findings identify key boundary conditions under which tight coupling may be beneficial and offer a nuanced understanding of how dependency network structure influences the security of dependencies and, more broadly, the security of software supply chains. [ABSTRACT FROM AUTHOR]
ISSN:07421222
DOI:10.1080/07421222.2025.2561385