Software security in open source development: A systematic literature review

Despite the security community's emphasis on the importance of building secure open source software (OSS), the number of new vulnerabilities found in OSS is increasing. In addition, software security is about the people that develop and use those applications and how their vulnerable behaviors can lead to exploitation. This leads to a need for reiteration of software security studies for OSS developments to understand the existing security practices and the security weakness among them. In this paper, a systematic review method with a sociotechnical analysis approach is applied to identify, extract and analyze the security studies conducted in the context of open source development. The findings include: (1) System verification is the most cited security area in OSS research; (2) The socio-technical perspective has not gained much attention in this research area; and (3) No research has been conducted focusing on the aspects of security knowledge management in OSS development.

[1]  Jae-Pyo Park,et al.  Design of Exploitable Automatic Verification System for Secure Open Source Software , 2015, CSA/CUTE.

[2]  Robertas Damasevicius,et al.  On The Human, Organizational, and Technical Aspects of Software Development and Analysis , 2008, ISD.

[3]  W. M. Fox Sociotechnical System Principles and Guidelines: Past and Present , 1995 .

[4]  Ernesto Damiani,et al.  OSS security certification , 2009 .

[5]  Laurie A. Williams,et al.  Socio-technical developer networks: should we trust our measurements? , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[6]  Andrew Meneely,et al.  An empirical investigation of socio-technical code review metrics and security vulnerabilities , 2014, SSE@SIGSOFT FSE.

[7]  Laurie A. Williams,et al.  Secure open source collaboration: an empirical study of linus' law , 2009, CCS.

[8]  Sam Ransbotham,et al.  An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software , 2010, WEIS.

[9]  M. Tariq Banday Ensuring Authentication and Integrity of Open Source Software using Digital Signature , 2011 .

[10]  J. Herbsleb,et al.  Two case studies of open source software development: Apache and Mozilla , 2002, TSEM.

[11]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[12]  James D. Herbsleb,et al.  Social coding in GitHub: transparency and collaboration in an open software repository , 2012, CSCW.

[13]  Jim Witschey Secure development tool adoption in open-source , 2013, SPLASH '13.

[14]  Spiros Mancoridis,et al.  Static Security Analysis Based on Input-Related Software Faults , 2009, 2009 13th European Conference on Software Maintenance and Reengineering.

[15]  Yuanyuan Zhou,et al.  Have things changed now?: an empirical study of bug characteristics in modern open source software , 2006, ASID '06.

[16]  D HerbslebJames,et al.  Two case studies of open source software development , 2002 .

[17]  Ibrahim Abunadi,et al.  Towards Cross Project Vulnerability Prediction in Open Source Web Applications , 2015 .

[18]  Muhammad Ali Babar,et al.  Reporting Empirical Research in Open Source Software: The State of Practice , 2009, OSS.

[19]  Anas Tawileh,et al.  Modelling the Economics of Free and Open Source Software Security , 2006, ISSE.

[20]  Laurie A. Williams,et al.  Strengthening the empirical analysis of the relationship between Linus' Law and software security , 2010, ESEM '10.

[21]  Oliver Hinz,et al.  The Impact of Security by Design on the Success of Open Source Software , 2016, ECIS.

[22]  Jeffrey C. Carver,et al.  Impact of developer reputation on code review outcomes in OSS projects: an empirical investigation , 2014, ESEM '14.

[23]  Nicolas Ducheneaut,et al.  Socialization in an Open Source Software Community: A Socio-Technical Analysis , 2005, Computer Supported Cooperative Work (CSCW).

[24]  Joan Arnedo-Moreno,et al.  A Study on Practices against Malware in Free Software Projects , 2013, 2013 27th International Conference on Advanced Information Networking and Applications Workshops.

[25]  Mourad Debbabi,et al.  Security hardening of open source software , 2006, PST.

[26]  James Walden,et al.  Security of open source web applications , 2009, ESEM 2009.

[27]  Anoosha Vangaveeti An Assessment of Security Problems in Open Source Software , 2015 .

[28]  Amiangshu Bosu,et al.  Characteristics of the vulnerable code changes identified through peer code review , 2014, ICSE Companion.

[29]  Emre Erturk A case study in open source software security and privacy: Android adware , 2012, World Congress on Internet Security (WorldCIS-2012).

[30]  CRISPIN COWAN,et al.  Software Security for Open-Source Systems , 2003, IEEE Secur. Priv..

[31]  Mladen A. Vouk,et al.  Towards a Unifying Approach in Understanding Security Problems , 2009, 2009 20th International Symposium on Software Reliability Engineering.

[32]  Emerson R. Murphy-Hill,et al.  Designing Interventions to Persuade Software Developers to Adopt Security Tools , 2014, SIW '14.

[33]  Mladen A. Vouk,et al.  Towards a Bayesian Approach in Modeling the Disclosure of Unique Security Faults in Open Source Projects , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[34]  Jeffrey C. Carver,et al.  When Are OSS Developers More Likely to Introduce Vulnerable Code Changes? A Case Study , 2014, OSS.

[35]  Kevin Crowston,et al.  Free/Libre open-source software development: What we know and what we do not know , 2012, CSUR.

[36]  Jungwoo Ryoo,et al.  The Use of Security Tactics in Open Source Software Projects , 2016, IEEE Transactions on Reliability.

[37]  A. A. Manjrekar,et al.  A cloud based system to sense security vulnerabilities of web application in open-source private cloud IAAS , 2016, 2016 International Conference on Electrical, Electronics, Communication, Computer and Optimization Techniques (ICEECCOT).

[38]  Leif Singer,et al.  Creating a shared understanding of testing culture on a social coding site , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[39]  Mamdouh Alenezi,et al.  Open source web application security: A static analysis approach , 2016, 2016 International Conference on Engineering & MIS (ICEMIS).

[40]  Reidar Conradi,et al.  Adoption of open source software in software-intensive organizations - A systematic literature review , 2010, Inf. Softw. Technol..

[41]  Kumar Yelamarthi,et al.  On the evolution of mobile computing software systems and C/C++ vulnerable code: Empirical investigation , 2016, 2016 IEEE 7th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON).

[42]  David Hales,et al.  Modelling Software Organisations , 2002, PPIG.

[43]  Brian Fitzgerald,et al.  Understanding Free/Open Source Software Development Processes , 2006, Softw. Process. Improv. Pract..

[44]  Yuanyuan Zhou,et al.  Bug characteristics in open source software , 2013, Empirical Software Engineering.

[45]  Robertas Damaševičius,et al.  Analysis of software design artifacts for socio-technical aspects , 2007 .

[46]  Mike Pittenger Know your open source code , 2016, Netw. Secur..

[47]  Jeffrey C. Carver,et al.  Identifying the characteristics of vulnerable code changes: an empirical study , 2014, SIGSOFT FSE.

[48]  Kevin Crowston,et al.  Bug Fixing Practices within Free/Libre Open Source Software Development Teams , 2008, J. Database Manag..

[49]  Arne-Kristian Groven,et al.  Security measurements within the framework of quality assessment models for free/libre open source software , 2010, ECSA '10.

[50]  Arvind K. Tripathi,et al.  Bounty programs in free/libre/open source software , 2006 .

[51]  David Probert,et al.  Quality practices and problems in free software projects , 2005 .

[52]  Georg von Krogh,et al.  The Promise of Research on Open Source Software , 2006, Manag. Sci..

[53]  David Kelly,et al.  Developing Open Source Software: A Community-Based Analysis of Research , 2006, Social Inclusion.

[54]  Yuanfang Cai,et al.  Towards an Architecture-Centric Approach to Security Analysis , 2016, 2016 13th Working IEEE/IFIP Conference on Software Architecture (WICSA).

[55]  Liqun Chen,et al.  An historical examination of open source releases and their vulnerabilities , 2012, CCS.

[56]  Laurie A. Williams,et al.  Using software reliability models for security assessment — Verification of assumptions , 2013, 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).