Quantitative Security Analysis of Open Source Repos like CRAN and NPM

Question

Is anyone aware of any quantitative analysis or research on the security of CRAN or NPM?

e.g. How much malware is hosted, rate of compromise, speed to close, number of attack vectors, CERT reports etc etc.

I'm trying to get a sense of the level of risk of compromised libs and dependencies in any of the major open source repos.

While papers like this are useful (though dated)

http://dodcio.defense.gov/Portals/0/Documents/OSSFAQ/dodfoss_pdf.pdf

I'm interested specifically in repositories rather than FOSS in general.

can you link to those sources? – schroeder Oct 19 '15 at 18:37 — schroeder, Oct 19 '15 at 18:37

score 1 · Answer 1 · answered Nov 30 '15 at 00:02

1

Though this is not a research paper it may give you some insight into NPM:

A Malicious Module on NPM

Just because the package system is "Open Source" does not mean it isn't managed. Take the Apple App Store for example, the most widely used mobile device brand in the world and even they have issues managing the saftey of the downloads they provide.

answered Nov 30 '15 at 00:02

Chad Baxter

632
4
8

The `^lift` article was very good. Thank you Chad. – Colin Dec 02 '15 at 15:55

Quantitative Security Analysis of Open Source Repos like CRAN and NPM

1 Answers1