Dependency update: Auto-fix tools are helpful but they can only take developers so far
The Equifax hack that exposed nearly half of all Americans is going to happen again. It’s only a matter of time. And it’s all because developers are too busy to deal with pull requests.
2017’s massive Equifax security breach is a pretty good example as to why you should always update your software libraries.
For those of you who missed out on the excitement, Equifax is one of the main three credit reporting agencies in the US. As such, they have access to more or less everyone’s fairly sensitive information, including names, birth dates, social security numbers, and driver’s licenses. Basically, all the information necessary for identity theft. And now, 143 million people – roughly one-third of all Americans – have been exposed.
(To be fair, this still isn’t the biggest hack of all time. That dubious honor still lies with Yahoo’s 2013 hack, which affected everyone who had a Yahoo account at the time. All 3 billion of them.)
How did this happen?
Programmers are busy. Sometimes, they forget to update old libraries. Or maybe they don’t have time to trawl through old software legacies to make sure all the patches are up to date. Unfortunately, this means that most websites are working with compromised libraries, which hackers can exploit. See Equifax, Yahoo, and countless others.
(BTW, we covered this topic well before the Equifax hack.)
“Most software programs rely, in part, on code in external ‘libraries’ to perform some of their functions,” said Chris Parnin, a computer science professor from North Carolina State University. “If those external libraries are modified to address flaws, programmers need to update their internal code to account for the changes. This is called ‘upgrading an out-of-date dependency.’ However, for various reasons, many programmers procrastinate, putting off the needed upgrades.”
In this particular case, Equifax neglected to patch and update their version of Apache Struts, a common enterprise platform. The Apache Software Foundation (ASF) put out a patch for this specific vulnerability back in March. (They also are very clear that a patch for this particular issue was put out immediately after the hole was discovered.) Equifax had more than two months to apply the fix and save everyone this kind of trouble. But alas, we do not live in that world.
As the ASF said pointedly, “The Equifax data compromise was due to their failure to install the security updates provided in a timely manner.”
Equifax serves as a pretty clear test case for many companies and organizations about how poorly prepared they are for security issues. It’s just even more poignant, considering they sell services to keep personal data secure.
So how can we fix this?
Thankfully, this problem isn’t intractable.
A recent study by Samim Mirhosseini and Chris Parnin of North Carolina State University suggests that programmers can be reminded about updating libraries thanks to a number of tools, including auto-fix tools and widgets that note if a dependency is out of date.
It’s difficult to expect programmers to constantly check to see if there are new, safely available software updates. Let alone deal with the resulting migration efforts that arise when upgrading any dependency.
So, Mirhosseini and Parnin analyzed the over 7000 GitHub projects to see if tools like automated pull requests and project badges did anything to change developers’ behavior.
SEE MORE: “We need to repackage security work in a way that ordinary DevOps projects can consume it”
On average, they found that projects with automated pull requests were updated more often than the baseline. In particular, the researchers found that projects with automated pull requests made 60 percent more of the necessary upgrades than projects that didn’t use incentives. Badge notifications were slightly less effective, with 40 percent more updates.
However, Mirhosseini and Parnin did point out that pull requests aren’t a magic cure. Developers are often overwhelmed with notifications and only a third of pull requests were actually merged. Badges are slightly helpful in this respect, but still not wholly effective.
Parnin’s take home message?
“We have automated tools that can help programmers keep up with upgrades,” Parnin said. These tools can’t replace good programmers, but they can make a significant difference. However, it’s still up to programmers to put these tools in place and make use of them.”
Mirhosseini and Parnin’s study, “Can Automated Pull Requests Encourage Software Developers to Upgrade Out-of-Date Dependencies?” is available online.