IDEAS home Printed from https://ideas.repec.org/p/arx/papers/2402.13375.html
   My bibliography  Save this paper

A Strategic Model of Software Dependency Networks

Author

Listed:
  • Cornelius Fritz
  • Co-Pierre Georg
  • Angelo Mele
  • Michael Schweinberger

Abstract

Modern software development involves collaborative efforts and reuse of existing code, which reduces the cost of developing new software. However, reusing code from existing packages exposes coders to vulnerabilities in these dependencies. We study the formation of dependency networks among software packages and libraries, guided by a structural model of network formation with observable and unobservable heterogeneity. We estimate costs, benefits, and link externalities of the network of 696,790 directed dependencies between 35,473 repositories of the Rust programming language using a novel scalable algorithm. We find evidence of a positive externality exerted on other coders when coders create dependencies. Furthermore, we show that coders are likely to link to more popular packages of the same software type but less popular packages of other types. We adopt models for the spread of infectious diseases to measure a package's systemicness as the number of downstream packages a vulnerability would affect. Systemicness is highly skewed with the most systemic repository affecting almost 90% of all repositories only two steps away. Lastly, we show that protecting only the ten most important repositories reduces vulnerability contagion by nearly 40%.

Suggested Citation

  • Cornelius Fritz & Co-Pierre Georg & Angelo Mele & Michael Schweinberger, 2024. "A Strategic Model of Software Dependency Networks," Papers 2402.13375, arXiv.org.
    • Handle: RePEc:arx:papers:2402.13375
    as

    Download full text from publisher

    File URL: http://arxiv.org/pdf/2402.13375
    File Function: Latest version
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Ashish Arora & Jonathan P. Caulkins & Rahul Telang, 2006. "Research Note--Sell First, Fix Later: Impact of Patching on Software Quality," Management Science, INFORMS, vol. 52(3), pages 465-471, March.
    2. Babkin, Sergii & Stewart, Jonathan R. & Long, Xiaochen & Schweinberger, Michael, 2020. "Large-scale estimation of random graph models with local dependence," Computational Statistics & Data Analysis, Elsevier, vol. 152(C).
    3. Zheng, Xiaolong & Zeng, Daniel & Li, Huiqian & Wang, Feiyue, 2008. "Analyzing open-source software systems as complex networks," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 387(24), pages 6190-6200.
    4. Josh Lerner & Jean Tirole, 2002. "Some Simple Economics of Open Source," Journal of Industrial Economics, Wiley Blackwell, vol. 50(2), pages 197-234, June.
    5. Michael Schweinberger & Mark S. Handcock, 2015. "Local dependence in random graph models: characterization, properties and statistical inference," Journal of the Royal Statistical Society Series B, Royal Statistical Society, vol. 77(3), pages 647-676, June.
    6. à ureo de Paula & Seth Richards†Shubik & Elie Tamer, 2018. "Identifying Preferences in Networks With Bounded Degree," Econometrica, Econometric Society, vol. 86(1), pages 263-288, January.
    7. Stéphane Bonhomme & Thibaut Lamadon & Elena Manresa, 2019. "A Distributional Framework for Matched Employer Employee Data," Econometrica, Econometric Society, vol. 87(3), pages 699-739, May.
    8. Jackson, Matthew O. & Wolinsky, Asher, 1996. "A Strategic Model of Social and Economic Networks," Journal of Economic Theory, Elsevier, vol. 71(1), pages 44-74, October.
    9. Vincent Boucher & Ismael Mourifié, 2017. "My friend far, far away: a random field approach to exponential random graph models," Econometrics Journal, Royal Economic Society, vol. 20(3), pages 14-46, October.
    10. Chatterjee, Sourin & Zehmakan, Ahad N., 2023. "Effective vaccination strategies in network-based SIR model," Chaos, Solitons & Fractals, Elsevier, vol. 175(P1).
    11. Chris Groendyke & David Welch & David R. Hunter, 2012. "A Network-based Analysis of the 1861 Hagelloch Measles Data," Biometrics, The International Biometric Society, vol. 68(3), pages 755-765, September.
    12. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    13. Michael Schweinberger & Rashmi P. Bomiriya & Sergii Babkin, 2022. "A semiparametric Bayesian approach to epidemics, with application to the spread of the coronavirus MERS in South Korea in 2015," Journal of Nonparametric Statistics, Taylor & Francis Journals, vol. 34(3), pages 628-662, July.
    14. Angelo Mele, 2022. "A Structural Model of Homophily and Clustering in Social Networks," Journal of Business & Economic Statistics, Taylor & Francis Journals, vol. 40(3), pages 1377-1389, June.
    15. Juan Nelson Mart'inez Dahbura & Shota Komatsu & Takanori Nishida & Angelo Mele, 2021. "A Structural Model of Business Card Exchange Networks," Papers 2105.12704, arXiv.org, revised Aug 2021.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Gaonkar, Shweta & Mele, Angelo, 2023. "A model of inter-organizational network formation," Journal of Economic Behavior & Organization, Elsevier, vol. 214(C), pages 82-104.
    2. Chih‐Sheng Hsieh & Lung‐Fei Lee & Vincent Boucher, 2020. "Specification and estimation of network formation and network interaction models with the exponential probability distribution," Quantitative Economics, Econometric Society, vol. 11(4), pages 1349-1390, November.
    3. Gao, Wayne Yuan & Li, Ming & Xu, Sheng, 2023. "Logical differencing in dyadic network formation models with nontransferable utilities," Journal of Econometrics, Elsevier, vol. 235(1), pages 302-324.
    4. Alex Centeno, 2022. "A Structural Model for Detecting Communities in Networks," Papers 2209.08380, arXiv.org, revised Oct 2022.
    5. Boucher, Vincent, 2020. "Equilibrium homophily in networks," European Economic Review, Elsevier, vol. 123(C).
    6. Luis E. Candelaria, 2020. "A Semiparametric Network Formation Model with Unobserved Linear Heterogeneity," Papers 2007.05403, arXiv.org, revised Aug 2020.
    7. Candelaria, Luis E., 2020. "A Semiparametric Network Formation Model with Unobserved Linear Heterogeneity," The Warwick Economics Research Paper Series (TWERPS) 1279, University of Warwick, Department of Economics.
    8. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    9. Philip Solimine & Luke Boosey, 2021. "Strategic formation of collaborative networks," Papers 2109.14204, arXiv.org, revised Apr 2024.
    10. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    11. de Paula, Aureo & Rasul, Imran & Souza, Pedro, 2018. "Identifying Network Ties from Panel Data: Theory and an Application to Tax Competition," CEPR Discussion Papers 12792, C.E.P.R. Discussion Papers.
    12. Boris van Leeuwen & Theo Offerman & Arthur Schram, 2020. "Competition for Status Creates Superstars: an Experiment on Public Good Provision and Network Formation," Journal of the European Economic Association, European Economic Association, vol. 18(2), pages 666-707.
    13. Áureo de Paula, 2020. "Econometric Models of Network Formation," Annual Review of Economics, Annual Reviews, vol. 12(1), pages 775-799, August.
    14. Stéphane Bonhomme, 2021. "Selection on Welfare Gains: Experimental Evidence from Electricity Plan Choice," Working Papers 2021-15, Becker Friedman Institute for Research In Economics.
    15. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    16. Slivko, Olga, 2014. "Peer effects in collaborative content generation: The evidence from German Wikipedia," ZEW Discussion Papers 14-128, ZEW - Leibniz Centre for European Economic Research.
    17. Bryan S. Graham, 2019. "Network Data," Papers 1912.06346, arXiv.org.
    18. Vincent Boucher, 2017. "The Estimation of Network Formation Games with Positive Spillovers," Cahiers de recherche 1710, Centre de recherche sur les risques, les enjeux économiques, et les politiques publiques.
    19. Braun, Martin & Verdier, Valentin, 2023. "Estimation of spillover effects with matched data or longitudinal network data," Journal of Econometrics, Elsevier, vol. 233(2), pages 689-714.
    20. Juan Nelson Mart'inez Dahbura & Shota Komatsu & Takanori Nishida & Angelo Mele, 2021. "A Structural Model of Business Card Exchange Networks," Papers 2105.12704, arXiv.org, revised Aug 2021.

    More about this item

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:arx:papers:2402.13375. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: arXiv administrators (email available below). General contact details of provider: http://arxiv.org/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.