Description
We address the cybersecurity problems of supply chain risk management in open source software. How does one detect high-risk components in a deployed software system that includes many open source components? As a complement to software assurance approaches based on static source code analysis, we propose a technique based on an analysis of the entire open source ecosystem, inclusive of its technical products and contributor activity. we show how dependency topology, community activity, and exogenous vulnerability and exposure information can be integrated to detect high risk "hot spots" requiring additional investment. We demonstrate this technique using the Python dependency topology extracted from PyPi and data from GitHub. We will dicuss how our analysis prototype has been implemented with SciPy tools.