A Strategic Model of Software Dependency Networks

Cornelius Fritz; Co Pierre Georg; Angelo Mele; Michael Schweinberger

doi:10.1145/3670865.3673519

A Strategic Model of Software Dependency Networks

Cornelius Fritz
, Co Pierre Georg
, Angelo Mele
, Michael Schweinberger

Statistics

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Software development is a collaborative effort that leverages existing code, which reduces the cost of developing new software. That said, leveraging existing code exposes coders to vulnerabilities, because existing code might contain programming bugs. We study the formation of dependency networks among software repositories, guided by a strategic model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of a network of 696, 790 directed dependencies between 35, 473 repositories of the Rust programming language using a scalable statistical algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. What is more, we show that coders are likely to link to more popular packages of the same and of other software types. We adopt models for the spread of infectious diseases to measure a package’s systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90% of all repositories only two steps away. Finally, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40%.

Original language	English (US)
Title of host publication	EC 2024 - Proceedings of the 25th Conference on Economics and Computation
Publisher	Association for Computing Machinery, Inc
Pages	863-892
Number of pages	30
ISBN (Electronic)	9798400707049
DOIs	https://doi.org/10.1145/3670865.3673519
State	Published - Dec 17 2024
Event	25th Conference on Economics and Computation, EC 2024 - New Haven, United States Duration: Jul 8 2024 → Jul 11 2024

Publication series

Name	EC 2024 - Proceedings of the 25th Conference on Economics and Computation

Conference

Conference	25th Conference on Economics and Computation, EC 2024
Country/Territory	United States
City	New Haven
Period	7/8/24 → 7/11/24

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 3 Good Health and Well-being

All Science Journal Classification (ASJC) codes

Computer Science (miscellaneous)
Economics and Econometrics
Computational Mathematics
Statistics and Probability

Access to Document

10.1145/3670865.3673519

Cite this

@inproceedings{4741b27c73d04013bd5154b049c525c4,

title = "A Strategic Model of Software Dependency Networks",

abstract = "Software development is a collaborative effort that leverages existing code, which reduces the cost of developing new software. That said, leveraging existing code exposes coders to vulnerabilities, because existing code might contain programming bugs. We study the formation of dependency networks among software repositories, guided by a strategic model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of a network of 696, 790 directed dependencies between 35, 473 repositories of the Rust programming language using a scalable statistical algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. What is more, we show that coders are likely to link to more popular packages of the same and of other software types. We adopt models for the spread of infectious diseases to measure a package{\textquoteright}s systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90\% of all repositories only two steps away. Finally, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40\%.",

author = "Cornelius Fritz and Georg, \{Co Pierre\} and Angelo Mele and Michael Schweinberger",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s).; 25th Conference on Economics and Computation, EC 2024 ; Conference date: 08-07-2024 Through 11-07-2024",

year = "2024",

month = dec,

day = "17",

doi = "10.1145/3670865.3673519",

language = "English (US)",

series = "EC 2024 - Proceedings of the 25th Conference on Economics and Computation",

publisher = "Association for Computing Machinery, Inc",

pages = "863--892",

booktitle = "EC 2024 - Proceedings of the 25th Conference on Economics and Computation",

}

Fritz, C, Georg, CP, Mele, A & Schweinberger, M 2024, A Strategic Model of Software Dependency Networks. in EC 2024 - Proceedings of the 25th Conference on Economics and Computation. EC 2024 - Proceedings of the 25th Conference on Economics and Computation, Association for Computing Machinery, Inc, pp. 863-892, 25th Conference on Economics and Computation, EC 2024, New Haven, United States, 7/8/24. https://doi.org/10.1145/3670865.3673519

A Strategic Model of Software Dependency Networks. / Fritz, Cornelius; Georg, Co Pierre; Mele, Angelo et al.
EC 2024 - Proceedings of the 25th Conference on Economics and Computation. Association for Computing Machinery, Inc, 2024. p. 863-892 (EC 2024 - Proceedings of the 25th Conference on Economics and Computation).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - A Strategic Model of Software Dependency Networks

AU - Fritz, Cornelius

AU - Georg, Co Pierre

AU - Mele, Angelo

AU - Schweinberger, Michael

PY - 2024/12/17

Y1 - 2024/12/17

N2 - Software development is a collaborative effort that leverages existing code, which reduces the cost of developing new software. That said, leveraging existing code exposes coders to vulnerabilities, because existing code might contain programming bugs. We study the formation of dependency networks among software repositories, guided by a strategic model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of a network of 696, 790 directed dependencies between 35, 473 repositories of the Rust programming language using a scalable statistical algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. What is more, we show that coders are likely to link to more popular packages of the same and of other software types. We adopt models for the spread of infectious diseases to measure a package’s systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90% of all repositories only two steps away. Finally, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40%.

AB - Software development is a collaborative effort that leverages existing code, which reduces the cost of developing new software. That said, leveraging existing code exposes coders to vulnerabilities, because existing code might contain programming bugs. We study the formation of dependency networks among software repositories, guided by a strategic model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of a network of 696, 790 directed dependencies between 35, 473 repositories of the Rust programming language using a scalable statistical algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. What is more, we show that coders are likely to link to more popular packages of the same and of other software types. We adopt models for the spread of infectious diseases to measure a package’s systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90% of all repositories only two steps away. Finally, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40%.

UR - https://www.scopus.com/pages/publications/85215320874

UR - https://www.scopus.com/pages/publications/85215320874#tab=citedBy

U2 - 10.1145/3670865.3673519

DO - 10.1145/3670865.3673519

M3 - Conference contribution

AN - SCOPUS:85215320874

T3 - EC 2024 - Proceedings of the 25th Conference on Economics and Computation

SP - 863

EP - 892

BT - EC 2024 - Proceedings of the 25th Conference on Economics and Computation

PB - Association for Computing Machinery, Inc

T2 - 25th Conference on Economics and Computation, EC 2024

Y2 - 8 July 2024 through 11 July 2024

ER -

A Strategic Model of Software Dependency Networks

Abstract

Publication series

Conference

UN SDGs

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this