5

Is anyone aware of any quantitative analysis or research on the security of CRAN or NPM?

e.g. How much malware is hosted, rate of compromise, speed to close, number of attack vectors, CERT reports etc etc.

I'm trying to get a sense of the level of risk of compromised libs and dependencies in any of the major open source repos.

While papers like this are useful (though dated)

http://dodcio.defense.gov/Portals/0/Documents/OSSFAQ/dodfoss_pdf.pdf

I'm interested specifically in repositories rather than FOSS in general.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
Colin
  • 181
  • 4

1 Answers1

1

Though this is not a research paper it may give you some insight into NPM:

A Malicious Module on NPM

Just because the package system is "Open Source" does not mean it isn't managed. Take the Apple App Store for example, the most widely used mobile device brand in the world and even they have issues managing the saftey of the downloads they provide.

Chad Baxter
  • 632
  • 4
  • 8