TY - GEN
T1 - A Double-Edged Sword? Software Reuse and Potential Security Vulnerabilities
AU - Gkortzis, Antonios
AU - Feitosa, Daniel
AU - Spinellis, Diomidis
PY - 2019/1/1
Y1 - 2019/1/1
N2 - Reuse is a common and often-advocated software development practice. Significant efforts have been invested into facilitating it, leading to advancements such as software forges, package managers, and the widespread integration of open source components into proprietary software systems. Reused software can make a system more secure through its maturity and extended vetting, or increase its vulnerabilities through a larger attack surface or insecure coding practices. To shed more light on this issue, we investigate the relationship between software reuse and potential security vulnerabilities, as assessed through static analysis. We empirically investigated 301 open source projects in a holistic multiple-case methods study. In particular, we examined the distribution of potential vulnerabilities between the native code created by a project’s development team and external code reused through dependencies, as well as the correlation between the ratio of reuse and the density of vulnerabilities. The results suggest that the amount of potential vulnerabilities in both native and reused code increases with larger project sizes. We also found a weak-to-moderate correlation between a higher reuse ratio and a lower density of vulnerabilities. Based on these findings it appears that code reuse is neither a frightening werewolf introducing an excessive number of vulnerabilities nor a silver bullet for avoiding them.
AB - Reuse is a common and often-advocated software development practice. Significant efforts have been invested into facilitating it, leading to advancements such as software forges, package managers, and the widespread integration of open source components into proprietary software systems. Reused software can make a system more secure through its maturity and extended vetting, or increase its vulnerabilities through a larger attack surface or insecure coding practices. To shed more light on this issue, we investigate the relationship between software reuse and potential security vulnerabilities, as assessed through static analysis. We empirically investigated 301 open source projects in a holistic multiple-case methods study. In particular, we examined the distribution of potential vulnerabilities between the native code created by a project’s development team and external code reused through dependencies, as well as the correlation between the ratio of reuse and the density of vulnerabilities. The results suggest that the amount of potential vulnerabilities in both native and reused code increases with larger project sizes. We also found a weak-to-moderate correlation between a higher reuse ratio and a lower density of vulnerabilities. Based on these findings it appears that code reuse is neither a frightening werewolf introducing an excessive number of vulnerabilities nor a silver bullet for avoiding them.
KW - Case study
KW - Security vulnerabilities
KW - Software reuse
UR - http://www.scopus.com/inward/record.url?scp=85068251070&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-22888-0_13
DO - 10.1007/978-3-030-22888-0_13
M3 - Conference contribution
AN - SCOPUS:85068251070
SN - 9783030228873
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 187
EP - 203
BT - Reuse in the Big Data Era - 18th International Conference on Software and Systems Reuse, ICSR 2019, Proceedings
A2 - Peng, Xin
A2 - Ampatzoglou, Apostolos
A2 - Bhowmik, Tanmay
PB - Springer
T2 - 18th International Conference on Software and Systems Reuse, ICSR 2019
Y2 - 26 June 2019 through 28 June 2019
ER -