A Double-Edged Sword? Software Reuse and Potential Security Vulnerabilities

Reuse is a common and often-advocated software development practice. Significant efforts have been invested into facilitating it, leading to advancements such as software forges, package managers, and the widespread integration of open source components into proprietary software systems. Reused software can make a system more secure through its maturity and extended vetting, or increase its vulnerabilities through a larger attack surface or insecure coding practices. To shed more light on this issue, we investigate the relationship between software reuse and potential security vulnerabilities, as assessed through static analysis. We empirically investigated 301 open source projects in a holistic multiple-case methods study. In particular, we examined the distribution of potential vulnerabilities between the native code created by a project’s development team and external code reused through dependencies, as well as the correlation between the ratio of reuse and the density of vulnerabilities. The results suggest that the amount of potential vulnerabilities in both native and reused code increases with larger project sizes. We also found a weak-to-moderate correlation between a higher reuse ratio and a lower density of vulnerabilities. Based on these findings it appears that code reuse is neither a frightening werewolf introducing an excessive number of vulnerabilities nor a silver bullet for avoiding them.

[1]  Reidar Conradi,et al.  An empirical study of software reuse vs. defect-density and stability , 2004, Proceedings. 26th International Conference on Software Engineering.

[2]  Ahmed E. Hassan,et al.  Examining the Relationship between FindBugs Warnings and App Ratings , 2016, IEEE Software.

[3]  Fabio Massacci,et al.  Vulnerable open source dependencies: counting those that matter , 2018, ESEM.

[4]  Anh Tuan Nguyen,et al.  Detecting recurring and similar software vulnerabilities , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[5]  Thomas Zimmermann,et al.  The Beauty and the Beast: Vulnerabilities in Red Hat's Packages , 2009, USENIX Annual Technical Conference.

[6]  William Pugh,et al.  The Google FindBugs fixit , 2010, ISSTA '10.

[7]  Andy P. Field,et al.  Discovering Statistics Using Ibm Spss Statistics , 2017 .

[8]  Serena Elisa Ponta,et al.  Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software , 2018, 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[9]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[10]  Laurie A. Williams,et al.  Secure open source collaboration: an empirical study of linus' law , 2009, CCS.

[11]  Georgios Gousios,et al.  The bug catalog of the maven ecosystem , 2014, MSR 2014.

[12]  Atul Gupta,et al.  A controlled experiment to evaluate the effectiveness and the efficiency of four static program analysis tools for Java programs , 2014, EASE '14.

[13]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[14]  Rini van Solingen,et al.  Goal Question Metric (GQM) Approach , 2002 .

[15]  Laurie A. Williams,et al.  On the value of static analysis for fault detection in software , 2006, IEEE Transactions on Software Engineering.

[16]  J. David Morgenthaler,et al.  Evaluating static analysis defect warnings on production software , 2007, PASTE '07.

[17]  Austen Rainer,et al.  Case Study Research in Software Engineering - Guidelines and Examples , 2012 .

[18]  Dzenana Donko,et al.  A survey of static code analysis methods for security vulnerabilities detection , 2014, 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[19]  Mario Gleirscher,et al.  On the Extent and Nature of Software Reuse in Open Source Java Projects , 2011, ICSR.

[20]  Georgios Gousios,et al.  GHTorrent: Github's data from a firehose , 2012, 2012 9th IEEE Working Conference on Mining Software Repositories (MSR).

[21]  Apostolos Ampatzoglou,et al.  Investigating quality trade-offs in open source Critical Embedded Systems , 2015, 2015 11th International ACM SIGSOFT Conference on Quality of Software Architectures (QoSA).

[22]  David A. Tomassi Bugs in the wild: examining the effectiveness of static analyzers at finding real-world bugs , 2018, ESEC/SIGSOFT FSE.

[23]  Meiyappan Nagappan,et al.  Curating GitHub for engineered software projects , 2016, PeerJ Prepr..

[24]  Spss,et al.  Discovering Statistics (4th Edition ed. , 2013 .

[25]  Apostolos Ampatzoglou,et al.  What can violations of good practices tell about the relationship between GoF patterns and run-time quality attributes? , 2019, Inf. Softw. Technol..