On the Security Cost of Using a Free and Open Source Component in a Proprietary Product

The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software FOSS components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized the company checks each component and propagates changes to the different product groups, distributed each product group is in charge of evaluating and fixing its consumed FOSS components, and hybrid only the least used components are checked individually by each development team. We investigated publicly available factors e.i¾?g., development activity such as commits, code size, or fraction of code size in different programming languages to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.

[1]  Cornelia Boldyreff,et al.  Identifying exogenous drivers and evolutionary stages in FLOSS projects , 2009, J. Syst. Softw..

[2]  Viet Hung Nguyen,et al.  Predicting vulnerable software components with dependency graphs , 2010, MetriSec '10.

[3]  Abhinav Rastogi,et al.  Secure Coding: Building Security into the Software Development Life Cycle , 2004, Inf. Secur. J. A Glob. Perspect..

[4]  Marit Hansen,et al.  The Open Source approach opportunities and limitations with respect to security and privacy , 2002, Comput. Secur..

[5]  Klaas-Jan Stol,et al.  Challenges in using open source software in product development: a review of the literature , 2010, FLOSS '10.

[6]  Fabio Massacci,et al.  An Empirical Methodology to Evaluate Vulnerability Discovery Models , 2014, IEEE Transactions on Software Engineering.

[7]  Fabio Massacci,et al.  Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox , 2010, MetriSec '10.

[8]  R. Seacord,et al.  Secure Coding Standards , 2006 .

[9]  Guido Schryen,et al.  Is open source security a myth? , 2011, Commun. ACM.

[10]  David A Wheeler,et al.  Open Source Software Projects Needing Security Investments , 2015 .

[11]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[12]  Hongyu Zhang,et al.  An investigation of the relationships between lines of code and defects , 2009, 2009 IEEE International Conference on Software Maintenance.

[13]  Cristina V. Lopes,et al.  Is Popularity a Measure of Quality? An Analysis of Maven Components , 2014, 2014 IEEE International Conference on Software Maintenance and Evolution.

[14]  David A. Wheeler,et al.  Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! , 2005 .

[15]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[16]  Andrea Capiluppi,et al.  Models for the evolution of OS projects , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[17]  Audris Mockus,et al.  How Does Context Affect the Distribution of Software Maintainability Metrics? , 2013, 2013 IEEE International Conference on Software Maintenance.

[18]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[19]  T. Rozman,et al.  Comparative assessment of open source software using easy accessible data , 2004, 26th International Conference on Information Technology Interfaces, 2004..

[20]  Achim D. Brucker,et al.  Factors Impacting the Effort Required to Fix Security Vulnerabilities - An Industrial Case Study , 2015, ISC.

[21]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[22]  Yuanyuan Zhou,et al.  Have things changed now?: an empirical study of bug characteristics in modern open source software , 2006, ASID '06.

[23]  James Walden,et al.  SAVI: Static-Analysis Vulnerability Indicator , 2012, IEEE Security & Privacy.

[24]  Indrajit Ray,et al.  Security Vulnerabilities in Software Systems: A Quantitative Perspective , 2005, DBSec.

[25]  Audris Mockus,et al.  A large-scale empirical study of just-in-time quality assurance , 2013, IEEE Transactions on Software Engineering.

[26]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[27]  Mark Aberdour A people-focused , 2022 .

[28]  Bart Jacobs,et al.  Increased security through open source , 2007, Commun. ACM.

[29]  Hongfang Liu,et al.  An Investigation into the Functional Form of the Size-Defect Relationship for Software Modules , 2009, IEEE Transactions on Software Engineering.

[30]  Steven M. Christey Unforgivable Vulnerabilities , 2007 .

[31]  Riccardo Scandariato,et al.  Predicting Vulnerable Components: Software Metrics vs Text Mining , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[32]  N. Nagappan,et al.  Use of relative code churn measures to predict system defect density , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[33]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.