See to Believe: Using Visualization to Motivate Updating Third-Party Dependencies

Etsagul H.R.; Jarukitpipat I.A.; Kula R.G.; Choetkiertikul M.; Chhun K.; Wanprasert W.; Sunetnanta T.

See to Believe: Using Visualization to Motivate Updating Third-Party Dependencies

Issued Date

2024-01-01

Resource Type

Conference Paper

DOI

10.1109/JCSSE61278.2024.10613740

Scopus ID

2-s2.0-85201373819

Journal Title

Proceedings - 21st International Joint Conference on Computer Science and Software Engineering, JCSSE 2024

Start Page

618

End Page

625

Rights Holder(s)

SCOPUS

Bibliographic Citation

Proceedings - 21st International Joint Conference on Computer Science and Software Engineering, JCSSE 2024 (2024) , 618-625

Suggested Citation

Etsagul H.R., Jarukitpipat I.A., Kula R.G., Choetkiertikul M., Chhun K., Wanprasert W., Sunetnanta T. See to Believe: Using Visualization to Motivate Updating Third-Party Dependencies. Proceedings - 21st International Joint Conference on Computer Science and Software Engineering, JCSSE 2024 (2024) , 618-625. 625. doi:10.1109/JCSSE61278.2024.10613740 Retrieved from: https://repository.li.mahidol.ac.th/handle/20.500.14594/100613

Title

See to Believe: Using Visualization to Motivate Updating Third-Party Dependencies

Author(s)

Etsagul H.R.
Jarukitpipat I.A.
Kula R.G.
Choetkiertikul M.
Chhun K.
Wanprasert W.
Sunetnanta T.

Author's Affiliation

Nara Institute of Science and Technology
Mahidol University

Corresponding Author(s)

Etsagul H.R.

Other Contributor(s)

Mahidol University

Abstract

Security vulnerabilities introduced by applications using third-party dependencies are on the increase, caused by the emergence of large ecosystems of libraries such as the NPM packages for JavaScript. Nowadays, libraries depend on each other. Relying on these large ecosystems thus means that vulnerable dependencies are not only direct but also indirect (transitive) dependencies. There are automated tool supports to manage these complex dependencies but recent work still shows that developers are wary of library updates, even to fix vulnerabilities, citing that being unaware, or that the migration effort to update outweighs the decision. In this paper, we hypothesize that the dependency graph visualization (DGV) approach will motivate developers to update, especially when convincing developers. To test this hypothesis, we performed a user study involving 20 participants divided equally into experimental and control groups, comparing the state-of-the-art tools with the tasks of reviewing vulnerabilities with complexities and vulnerabilities with indirect dependencies. We find that 70% of the participants who saw the visualization did re-prioritize their updates in both tasks. This is higher than the 30% and 60% of the participants who used the npm audit tool in both tasks, respectively.

Keyword(s)

Mathematics
Computer Science
Decision Sciences

URI

https://repository.li.mahidol.ac.th/handle/20.500.14594/100613

Collections

Scopus 2024

Full item page

Send Feedback

	Office Hour: Monday-Friday 08.30-12.00 and 13.00-16.30 hrs.
	Phutthamonthon Sai 4 Rd. Salaya, Nakhon Pathom 73170, Thailand
	The office: +66 (2) 800 2680 ext.4306
	thipsuda.van@mahidol.ac.th
	https://repository.li.mahidol.ac.th