Security Knowledge Management in Open Source Software Communities

Open source software (OSS) communities are groups of individuals, technical or non-technical, interacting with collaborating peers in online communities of practices to develop OSS, solve particular software problems and exchange ideas. People join OSS communities with a different level of programming skills and experience and might lack formal, college-level software security training. There remains a lot of confusion in participants’ mind as to what is secured code and what the project wants. Another problem is that the huge amount of available software security information nowadays has resulted in a form of information overload to software engineers, who usually finish studying it with no clue about how to apply those principles properly to their own applications. This leads to a knowledge gap between knowledge available and knowledge required to build secure applications in the context of software projects. Given the increased importance and complexity of OSS in today’s world, lacking proper security knowledge to handle vulnerabilities in OSS development will result in breaches that are more serious in the future. The goal of this research work is to fill the knowledge gap by providing an artifact that would facilitate the effective security-knowledge transferring and learning in the context of OSS development. In this work-in-progress paper, we present our ongoing research work following design science research methodology on the domain problem identification and the development of the artifact.

[1]  Michael Uschold,et al.  Ontologies: principles, methods and applications , 1996, The Knowledge Engineering Review.

[2]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[3]  Csongor Nyulas,et al.  WebProtégé: A collaborative ontology editor and knowledge acquisition tool for the Web , 2013, Semantic Web.

[4]  Brian Fitzgerald,et al.  Understanding open source software development , 2002 .

[5]  Veda C. Storey,et al.  An ontological analysis of the relationship construct in conceptual modeling , 1999, TODS.

[6]  Jing Xie,et al.  Why do programmers make security errors? , 2011, 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[7]  Walt Scacchi,et al.  Understanding the requirements for developing open source software systems , 2002, IEE Proc. Softw..

[8]  Ilia Bider,et al.  A Framework for Synchronizing Human Behavior, Processes and Support Systems Using a Socio-technical Approach , 2014, BMMDS/EMMSAD.

[9]  Michael Gruninger,et al.  ONTOLOGY Applications and Design , 2002 .

[10]  Mohammad Zulkernine,et al.  Quantifying Security in Secure Software Development Phases , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[11]  David Kelly,et al.  Developing Open Source Software: A Community-Based Analysis of Research , 2006, Social Inclusion.

[12]  Stewart Kowalski,et al.  Secure e-Government Services: A Comparative Analysis of e-Government Maturity Models for the Developing Regions-The Need for Security Services , 2012, Int. J. Electron. Gov. Res..

[13]  Raghu Kacker,et al.  An Analysis of Vulnerability Trends, 2008-2016 , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[14]  Tim Menzies,et al.  We Don't Need Another Hero?: The Impact of "Heroes" on Software Development , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).

[15]  Shao-Fang Wen Hyper Contextual Software Security Management for Open Source Software , 2016, STPIS@CAiSE.

[16]  Steve Mansfield-Devine The battle for privacy , 2016, Netw. Secur..

[17]  Alan R. Hevner,et al.  Design Research in Information Systems , 2010 .

[18]  Gunnar Wahlgren,et al.  Evaluation of Escalation Maturity Model for IT Security Risk Management : a design Science Work in Progress , 2014 .

[19]  Shao-Fang Wen,et al.  Software security in open source development: A systematic literature review , 2017, 2017 21st Conference of Open Innovations Association (FRUCT).

[20]  Ian Sommerville,et al.  Socio-technical systems: From design methods to systems engineering , 2011, Interact. Comput..

[21]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[22]  Stewart Kowalski,et al.  A Socio-technical Framework for Threat Modeling a Software Supply Chain , 2015, IEEE Security & Privacy.

[23]  Thomas R. Gruber,et al.  A translation approach to portable ontology specifications , 1993, Knowl. Acquis..

[24]  Helen Sharp,et al.  The Role of Ethnographic Studies in Empirical Software Engineering , 2016, IEEE Transactions on Software Engineering.

[25]  Juha Röning,et al.  Fulfilling the Needs for Information Security Awareness and Learning in Information Society , 2007 .

[26]  Mike Pittenger Know your open source code , 2016, Netw. Secur..

[27]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[28]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[29]  Kenneth R. van Wyk,et al.  Secure Coding: Principles and Practices , 2003 .

[30]  Angela M. O'Donnell,et al.  Knowledge Maps as Scaffolds for Cognitive Processing , 2002 .

[31]  B. A. Sabbagh,et al.  Developing social metrics for security modeling the security culture of it workers individuals (case study) , 2012, The 5th International Conference on Communications, Computers and Applications (MIC-CCA2012).

[32]  Leila Lage Humes Communities of Practice for Open Source Software , 2007 .

[33]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[34]  Nassim Belbaly,et al.  Understanding Developers’ Motives in Open Source Projects: A Multi-Theoretical Framework , 2010, Commun. Assoc. Inf. Syst..

[35]  S. Pan,et al.  Knowledge Management in Practice: An Exploratory Case Study , 1999 .

[36]  Brian Fitzgerald,et al.  Understanding Free/Open Source Software Development Processes , 2006, Softw. Process. Improv. Pract..

[37]  Jin Song Dong,et al.  Semantic Space: an infrastructure for smart spaces , 2004, IEEE Pervasive Computing.