Cargando…
Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit
The awareness about software vulnerabilities is crucial to ensure effective cybersecurity practices, the development of high-quality software, and, ultimately, national security. This awareness can be better understood by studying the spread, structure and evolution of software vulnerability discuss...
Autores principales: | , , , , , |
---|---|
Formato: | Online Artículo Texto |
Lenguaje: | English |
Publicado: |
Public Library of Science
2020
|
Materias: | |
Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7092989/ https://www.ncbi.nlm.nih.gov/pubmed/32208431 http://dx.doi.org/10.1371/journal.pone.0230250 |
_version_ | 1783510211400564736 |
---|---|
author | Shrestha, Prasha Sathanur, Arun Maharjan, Suraj Saldanha, Emily Arendt, Dustin Volkova, Svitlana |
author_facet | Shrestha, Prasha Sathanur, Arun Maharjan, Suraj Saldanha, Emily Arendt, Dustin Volkova, Svitlana |
author_sort | Shrestha, Prasha |
collection | PubMed |
description | The awareness about software vulnerabilities is crucial to ensure effective cybersecurity practices, the development of high-quality software, and, ultimately, national security. This awareness can be better understood by studying the spread, structure and evolution of software vulnerability discussions across online communities. This work is the first to evaluate and contrast how discussions about software vulnerabilities spread on three social platforms—Twitter, GitHub, and Reddit. Moreover, we measure how user-level e.g., bot or not, and content-level characteristics e.g., vulnerability severity, post subjectivity, targeted operating systems as well as social network topology influence the rate of vulnerability discussion spread. To lay the groundwork, we present a novel fundamental framework for measuring information spread in multiple social platforms that identifies spread mechanisms and observables, units of information, and groups of measurements. We then contrast topologies for three social networks and analyze the effect of the network structure on the way discussions about vulnerabilities spread. We measure the scale and speed of the discussion spread to understand how far and how wide they go, how many users participate, and the duration of their spread. To demonstrate the awareness of more impactful vulnerabilities, a subset of our analysis focuses on vulnerabilities targeted during recent major cyber-attacks and those exploited by advanced persistent threat groups. One of our major findings is that most discussions start on GitHub not only before Twitter and Reddit, but even before a vulnerability is officially published. The severity of a vulnerability contributes to how much it spreads, especially on Twitter. Highly severe vulnerabilities have significantly deeper, broader and more viral discussion threads. When analyzing vulnerabilities in software products we found that different flavors of Linux received the highest discussion volume. We also observe that Twitter discussions started by humans have larger size, breadth, depth, adoption rate, lifetime, and structural virality compared to those started by bots. On Reddit, discussion threads of positive posts are larger, wider, and deeper than negative or neutral posts. We also found that all three networks have high modularity that encourages spread. However, the spread on GitHub is different from other networks, because GitHub is more dense, has stronger community structure and assortativity that enhances information diffusion. We anticipate the results of our analysis to not only increase the understanding of software vulnerability awareness but also inform the existing and new analytical frameworks for simulating information spread e.g., disinformation across multiple social environments online. |
format | Online Article Text |
id | pubmed-7092989 |
institution | National Center for Biotechnology Information |
language | English |
publishDate | 2020 |
publisher | Public Library of Science |
record_format | MEDLINE/PubMed |
spelling | pubmed-70929892020-04-01 Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit Shrestha, Prasha Sathanur, Arun Maharjan, Suraj Saldanha, Emily Arendt, Dustin Volkova, Svitlana PLoS One Research Article The awareness about software vulnerabilities is crucial to ensure effective cybersecurity practices, the development of high-quality software, and, ultimately, national security. This awareness can be better understood by studying the spread, structure and evolution of software vulnerability discussions across online communities. This work is the first to evaluate and contrast how discussions about software vulnerabilities spread on three social platforms—Twitter, GitHub, and Reddit. Moreover, we measure how user-level e.g., bot or not, and content-level characteristics e.g., vulnerability severity, post subjectivity, targeted operating systems as well as social network topology influence the rate of vulnerability discussion spread. To lay the groundwork, we present a novel fundamental framework for measuring information spread in multiple social platforms that identifies spread mechanisms and observables, units of information, and groups of measurements. We then contrast topologies for three social networks and analyze the effect of the network structure on the way discussions about vulnerabilities spread. We measure the scale and speed of the discussion spread to understand how far and how wide they go, how many users participate, and the duration of their spread. To demonstrate the awareness of more impactful vulnerabilities, a subset of our analysis focuses on vulnerabilities targeted during recent major cyber-attacks and those exploited by advanced persistent threat groups. One of our major findings is that most discussions start on GitHub not only before Twitter and Reddit, but even before a vulnerability is officially published. The severity of a vulnerability contributes to how much it spreads, especially on Twitter. Highly severe vulnerabilities have significantly deeper, broader and more viral discussion threads. When analyzing vulnerabilities in software products we found that different flavors of Linux received the highest discussion volume. We also observe that Twitter discussions started by humans have larger size, breadth, depth, adoption rate, lifetime, and structural virality compared to those started by bots. On Reddit, discussion threads of positive posts are larger, wider, and deeper than negative or neutral posts. We also found that all three networks have high modularity that encourages spread. However, the spread on GitHub is different from other networks, because GitHub is more dense, has stronger community structure and assortativity that enhances information diffusion. We anticipate the results of our analysis to not only increase the understanding of software vulnerability awareness but also inform the existing and new analytical frameworks for simulating information spread e.g., disinformation across multiple social environments online. Public Library of Science 2020-03-24 /pmc/articles/PMC7092989/ /pubmed/32208431 http://dx.doi.org/10.1371/journal.pone.0230250 Text en © 2020 Shrestha et al http://creativecommons.org/licenses/by/4.0/ This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/) , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. |
spellingShingle | Research Article Shrestha, Prasha Sathanur, Arun Maharjan, Suraj Saldanha, Emily Arendt, Dustin Volkova, Svitlana Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit |
title | Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit |
title_full | Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit |
title_fullStr | Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit |
title_full_unstemmed | Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit |
title_short | Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of GitHub, Twitter and Reddit |
title_sort | multiple social platforms reveal actionable signals for software vulnerability awareness: a study of github, twitter and reddit |
topic | Research Article |
url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7092989/ https://www.ncbi.nlm.nih.gov/pubmed/32208431 http://dx.doi.org/10.1371/journal.pone.0230250 |
work_keys_str_mv | AT shresthaprasha multiplesocialplatformsrevealactionablesignalsforsoftwarevulnerabilityawarenessastudyofgithubtwitterandreddit AT sathanurarun multiplesocialplatformsrevealactionablesignalsforsoftwarevulnerabilityawarenessastudyofgithubtwitterandreddit AT maharjansuraj multiplesocialplatformsrevealactionablesignalsforsoftwarevulnerabilityawarenessastudyofgithubtwitterandreddit AT saldanhaemily multiplesocialplatformsrevealactionablesignalsforsoftwarevulnerabilityawarenessastudyofgithubtwitterandreddit AT arendtdustin multiplesocialplatformsrevealactionablesignalsforsoftwarevulnerabilityawarenessastudyofgithubtwitterandreddit AT volkovasvitlana multiplesocialplatformsrevealactionablesignalsforsoftwarevulnerabilityawarenessastudyofgithubtwitterandreddit |