Could the recent Equifax data breach been prevented if the credit agency had the right programming tools in place? That’s the question researchers from North Carolina State University set out to answer in their recent study: Can Automated Pull Requests Encourage Software Developers to Upgrade Out-of-Date Dependencies?
According to the researchers, a majority of software relies on external libraries to perform functions. Often times, those libraries are modified to address flaws. In order for programmers to ensure the safety of their code, they have to constantly check the status of their software libraries and update their code to account for any changes.
“This is called ‘upgrading an out-of-date dependency.’ However, for various reasons, many programmers procrastinate, putting off the needed upgrades,” said Chris Parnin, an assistant professor of computer science at North Carolina State University
Parnin explained, this type of procrastination is exactly what happened with the Equifax data breach. “An external library they relied on had made public that it contained a security flaw. And while the external library was patched, Equifax never got around to updating its internal code. So months after the problem was identified, Equifax was still vulnerable and got hacked.”
In the study, the researchers looked at thousands of open source programs on GitHub to assess if tools could get more programmers to update their out-of-date dependencies. In one group, the researchers looked at 2,578 projects that used automated pull requests to notify project owners about necessary upgrades. In another group, the researchers looked at 1,273 projects that did not take advantage of automated pull requests or tools in place for out-of-date dependencies. The results showed 60% or programmers with automated pull requests associated with their programs were more likely to upgrade their projects than those who didn’t use any incentives.
“We also found that the majority of automated pull request projects were using the most up-to-date versions of dependent software, whereas the unincentivized projects were all over the map,” Parnin asid. “The take-home message here is that we have automated tools that can help programmers keep up with upgrades. These tools can’t replace good programmers, but they can make a significant difference. However, it’s still up to programmers to put these tools in place and make use of them.”