For computer software developers, dependency brings risk

When computer experts uncovered a vulnerability in a widely used cryptography library in 2014, it sent shock waves through the computer security world. “Heartbleed” would become known as one of the worst security bugs in the history of the internet, rendering between 25 and 55 percent of secure webservers vulnerable to data theft — including a large U.S. hospital chain called Community Health Systems and the Canadian Revenue Agency.

The culprit? A bug buried deep in a widely used software library that countless computer coders linked to when developing their own software packages, explains Angelo Mele, associate professor of economics at Johns Hopkins Carey Business School, whose research is aimed at addressing this costly problem of interdependence. His working paper, aimed at modeling software dependency networks, put current loss estimates over $1 trillion.

“When computer software developers are creating new software programs, they often save time and money by linking to existing libraries or programs for basic functions or simple tasks,” says Mele. “But these ‘package dependencies’ expose developers to the risk of bugs or other vulnerabilities.”

Addressing ‘cascade failures’

Studying dependency networks lends itself to an interdisciplinary approach, notes Mele — an approach that spans economic theory, statistical inference, network analysis, financial and behavioral contagion, game theory, and computational methods.

In current research funded by the Institute for Data Intensive Engineering and Science, or IDIES, at Johns Hopkins, Mele and co-investigator Co-Pierre Georg of the EDHEC Business School in France are combining different methodologies to explore key questions.

“We are working to model how software dependency networks are formed and to understand the role of ‘externalities’ — which are created when software developers form a dependency to another package, exposing other packages to the risk of bugs or security issues,” Mele explains.

Ultimately, the researchers aim to quantify the associated costs of externalities and to come up with solutions “that could alleviate problems of contagion and ‘cascade failures,’” similar to the widespread damage created by Heartbleed, Mele says.

Open source software: an ‘ideal laboratory’

In preliminary research, Mele and Georg utilized data on open source software projects developed using the software language Rust. Their analysis examined 17,081 packages with a total of 1,131,342 dependencies.

Their conclusion: “Highly interdependent software packages are likely to become even more interdependent. This means that it is particularly important to ensure that such packages are free of bugs that potentially can affect a large number of other software packages.”

Mele sees this initial research project focusing on Rust as a starting point for a broader analysis that will consider many more datasets and more popular computer languages — such as Javascript and Python. Ultimately, through their modeling work, Mele and Georg aim to address important policy questions. For example: What happens to the network when a bug is introduced in a random node?

Fortunately, the widespread use of open source software — which is developed with source code that anyone can inspect, modify, and enhance — provides an “ideal laboratory” to study dependency graphs, Mele notes.