• A
  • A
  • A
  • ABC
  • ABC
  • ABC
  • А
  • А
  • А
  • А
  • А
Regular version of the site
For visually-impairedFor visually-impairedUser profile (HSE staff only)Search
Advanced search
Menu
HSE University

A Methodology and a Service for Software Security Analysis in Terms of Usage of Insecure 3rd Party Dependencies

Student: Bakin Aleksandr

Supervisor: Vladimir Bashun

Faculty: HSE Tikhonov Moscow Institute of Electronics and Mathematics (MIEM HSE)

Educational Programme: Cybersecurity (Master)

Final Grade: 9

Year of Graduation: 2024

In the modern world of software development, there are hardly any significant projects that do not use external dependencies in their codebase. According to Tidelift, 92% of applications contain open-source components, yet only 17% of organizations have a formal process for integrating new open-source components into their codebase [1]. Additionally, according to Profiskop, the global base of open-source projects includes more than 200 million projects from over 70 million developers. There is also a noticeable increase in the number of new package indexes in public package repositories [2]. According to research firm Gartner, attacks on supply chains such as Dependency Confusion, Typosquatting, and Malicious Code Injection are growing exponentially [3]. The vulnerability of Log4Shell in the widely used Apache Log4j library, which allowed remote execution of arbitrary code on the server, is still a recent memory [4]. To mitigate risks associated with supply chain attacks, there is a class of solutions for Software Composition Analysis (SCA). These solutions allow for the analysis of external components borrowed in the project's codebase for existing known vulnerabilities. However, issues related to the likelihood of these vulnerabilities being exploited "in the wild," as well as the security of the repositories themselves, remain unaddressed. This work aims to improve the practices of software composition analysis. The methodology developed as part of this work allows for more flexible structuring of compositional analysis processes in organizations. Based on the software solution developed in this work, it is possible to establish Quality Gates (predefined stages during which a project is checked for compliance with necessary criteria before moving to the next stage) in the continuous integration and continuous deployment (CI/CD) pipeline of the developed software. The work contains 107 pages, 5 figures, 8 tables, 29 sources, 3 appendices.

Full text (added May 15, 2024)

Student Theses at HSE must be completed in accordance with the University Rules and regulations specified by each educational programme.

Summaries of all theses must be published and made freely available on the HSE website.

The full text of a thesis can be published in open access on the HSE website only if the authoring student (copyright holder) agrees, or, if the thesis was written by a team of students, if all the co-authors (copyright holders) agree. After a thesis is published on the HSE website, it obtains the status of an online publication.

Student theses are objects of copyright and their use is subject to limitations in accordance with the Russian Federation’s law on intellectual property.

In the event that a thesis is quoted or otherwise used, reference to the author’s name and the source of quotation is required.

Search all student theses