Not make software patches and hardware upgrades are often cited as major reasons for the security vulnerabilities exploited by hackers. But auto-fix tools could encourage IT staffs to make upgrades that might reduce cybersecurity threats, according to a new study from NCSU.

For example, the Equifax hack that exposed more than 140 million people’s data.

“Most software programs rely, in part, on code in external ‘libraries’ to perform some of their functions,” says Chris Parnin, an assistant professor of computer science at North Carolina State University who is senior author of a new study about auto-fix tools.

“If those external libraries are modified to address flaws, programmers need to update their internal code to account for the changes. This is called ‘upgrading an out-of-date dependency.’ However, for various reasons, many programmers procrastinate, putting off the needed upgrades.

“This is what happened at Equifax,” Parnin adds.. “An external library they relied on had made public that it contained a security flaw. And while the external library was patched, Equifax never got around to updating its internal code. So months after the problem was identified, Equifax was still vulnerable and got hacked.

“Our goal with this project was to assess tools designed to get more programmers to upgrade their out-of-date dependencies. Could they help prevent another Equifax?”

The research is based on a review of thousands of open-source projects at online programming community GitHub.

The abstract of the paper:


“Can Automated Pull Requests Encourage Software Developers to Upgrade Out-of-Date Dependencies?”

  • Authors: Samim Mirhosseini and Chris Parnin, North Carolina State University
  • Presented: IEEE/ACM International Conference on Automated Software Engineering, Oct. 30-Nov. 3 at the University of Illinois at Urbana-Champaign, Ill.
  • Abstract: Developers neglect to update legacy software dependencies, resulting in buggy and insecure software. One explanation for this neglect is the difficulty of constantly checking for the availability of new software updates, verifying their safety, and addressing any migration efforts needed when upgrading a dependency. Emerging tools attempt to address this problem by introducing automated pull requests and project badges to inform the developer of stale dependencies. To understand whether these tools actually help developers, we analyzed 7,470 GitHub projects that used these notification mechanisms to identify any change in upgrade behavior. Our results find that, on average, projects that use pull request notifications upgraded 1.6x as often as projects that did not use any tools. Badge notifications were slightly less effective: users upgraded 1.4x more frequently. Unfortunately, although pull request notifications are useful, developers are often overwhelmed by notifications: only a third of pull requests were actually merged. Through a survey, 62 developers indicated that their most significant concerns are breaking changes, understanding the implications of changes, and migration effort. The implications of our work suggests ways in which notifications can be improved to better align with developers’ expectations and the need for new mechanisms to reduce notification fatigue and improve confidence in automated pull requests.