Seth Michael Larson, security developer-in-residence at the Python Software Foundation, told The Register that while silent security patches have some impact on security, he suspects that serious flaws with significant impact are being appropriately recorded in CVE notices. To improve the security situation, Sun argues for increasing the awareness of silent security patches, creating guidance to help developers identify and label vulnerabilities, and applying tools to spot silent security patches. Kun Sun, a professor in the Department of Information Sciences and Technology at George Mason University and a co-author of the paper, told The Register in an email that one of the reasons that so many Python vulnerabilities are addressed silently, is that "It is too complicated to get a CVE-ID for a Python vulnerability." He added also that "developers may consider the vulnerability as a performance bug." However, with the SCOPY, open-source software maintainers can quickly reveal vulnerabilities as soon as security fixes become public, improving the overall security of their software systems."ĭr. "By taking this approach, attackers cannot leverage the SCOPY to gain additional details on the vulnerabilities. "Our objective in this paper is to prioritize the security of the users’ systems that is why we only share detailed information on the security fixes, rather than the vulnerabilities," they state in their paper. The boffins caution that their SCOPY model has the potential to identify undisclosed vulnerability fixes, which while helpful could also enable an attacker to find flaws in unpatched systems. These patterns include: adding or updating sanity checks revising API usage updating regular expressions and restricting security properties. Subpoenaed PyPI says bye-bye to as much IP address data as it canīy compiling PySecDB, the paper authors noticed four common security fix patterns, which they say can be generalized and turned into intermediate representations for use in automated program repair.Python Package Index had one person on-call to hold back weekend malware rush.This malicious PyPI package mixed source and compiled code to dodge detection.Warning: JavaScript registry npm vulnerable to 'manifest confusion' abuse.It contains 1,258 security commits and 2,791 non-security commits culled from more than 351 popular GitHub projects, covering 119 more CWEs. Together, these form PySecDB, which the academics say represents the first security commit dataset in Python. For example, CVE-2021-27213 includes a link to the actual code change in the relevant project's GitHub repo, a fix of CWE 502, Deserialization of Untrusted Data. ![]() The base dataset consists of security commits associated with CVE identifiers. PySecDB has three parts: a base dataset, a pilot dataset, and an augmented dataset. "Since the CVE records on Python programs are limited, we observe that only 46 percent of them provide the corresponding security commits and more security commits fall in the wild silently, without being indexed by CVE," the group concluded in their paper, which was accepted for the 2023 ICSME conference. ![]() More security commits fall in the wild silently, without being indexed by CVE In a preprint paper titled, "Exploring Security Commits in Python," Shiyu Sun, Shu Wang, Xinda Wang, Yunlong Xing, Kun Sun from George Mason University, and Elisa Zhang from Dougherty Valley High School, all in the United States, propose a remedy: a database of security commits called PySecDB to make Python code repairs more visible to the community.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |