How much liability is in your project? #

Find out by calculating your project’s Liability Index.

What is the Liability Index? #

The Liability Index is a single value that determines how much security liability exists in an application. Measuring this metric will help your team keep your software systems safe by ensuring that known vulnerabilities are fixed quickly.

Technically speaking, the Liability Index is a dependency freshness measurement that computes how long your dependencies have had published, yet patchable, security vulnerabilities. This measurement is inspired by LibYear. Like LibYear, the Liability Index is computed in years.

Why does the Liability Index matter? #

Most modern software systems depend on many different libraries. These libraries provide a ton of useful functionality that a software development team does not have to build themselves. However, this functionality does come at a cost: commonly used libraries are an attack vector for people looking to exploit security vulnerabilities. Once a vulnerability is found in a commonly used library, then any application that’s using that library will be vulnerable until the library is patched.

Simply put, if your project is using versions of libraries that have published security vulnerabilities, then your project is at risk of being hacked. This risk can be thought of as a liability and can lead to security breaches. There have been many prominent security breaches in recent years. Some of those could have been avoided had the people responsible for those projects simply kept the libraries that their project depended on up-to-date.

Thankfully, many libraries have teams that help fix these security vulnerabilities when they are detected. This results in a new version of the library being published. And software systems that are using the library can simply upgrade to the fixed version to avoid being vulnerable. Computing and monitoring the Liability Index for a project can help ensure that security vulnerabilities are addressed in a timely manner and the risk of security breaches is minimized.

How do you compute the Liability Index? #

The Liability Index can be computed for either an entire project or for just a single dependency.

Single Dependency #

To compute the value for a single dependency, first determine the date that the current version was published, we’ll call this the published date. Next determine whether or not this version has a known security vulnerability. If it doesn’t have one, then the Liability Index value for that dependency is 0. If it does have a security vulnerability, check to see if there’s a newer version of the package that doesn’t have a security vulnerability. When you find one, record the date it was published as the patched date.

Now that you have these components, you can compute the Liability Index by subtracting the patched date from the published date and recording the value in terms of fractional years. For example, 6 months would be reported as 0.5, while 3 years and 3 months would be reported as 3.25.

Entire Project #

Now that we know how to compute the value for a single dependency, we simply add all of those values together to get the composite value for the entire project.

Can you show me an example? #

Sure! Let’s compute the Liability Index value for an application with the following fictional dependencies:

Sample Dependencies and Dates #

Computing Liability Index per Dependency #

Computing the Liability Index for each dependency would yield the following:

Total #

And the total Liability Index for the entire project would be the sum of these values, or 3.72 years.

What is a good Liability Index value? #

A good Liability Index is as close to 0 as possible. And, it’s important to continue to monitor your project as security vulnerabilities are identified and patched so that its Liability index stays as low as possible.

Want to learn more? Let’s connect! #