 Vulnerability Webs: Systemic Risk in Software NetworksCornelius Fritz, Co-Pierre Georg, Angelo Mele and Michael Schweinberger Abstract: Modern software development is a collaborative effort that re-uses existing code to reduce development and maintenance costs. This practice exposes software to vulnerabilities in the form of undetected bugs in direct and indirect dependencies, as demonstrated by the Crowdstrike and HeartBleed bugs. The economic costs resulting from such vulnerabilities can be staggering. We study a directed network of 52,897 software dependencies across 16,102 Python repositories, guided by a strategic model of network formation that incorporates both observable and unobservable heterogeneity. Using a scalable variational approximation of the conditional distribution of unobserved heterogeneity, we show that outsourcing code to other software packages by creating dependencies generates negative externalities. Modeling the propagation of risk in networks of software packages as an epidemiological process, we show that increasing protection of dependencies based on popular heuristics is ineffective at reducing systemic risk. By contrast, AI-assisted coding enables developers to replace dependencies with in-house code and reduces systemic risk. Date: 2024-02, Revised 2024-11 Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:arx:papers:2402.13375 Access Statistics for this paper More papers in Papers from arXiv.org |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.