TY - JOUR
T1 - Software reuse cuts both ways
T2 - An empirical analysis of its relationship with security vulnerabilities
AU - Gkortzis, Antonios
AU - Feitosa, Daniel
AU - Spinellis, Diomidis
PY - 2021
Y1 - 2021
N2 - Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them.
AB - Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them.
KW - Case study
KW - Open-source software
KW - Security vulnerabilities
KW - Software reuse
UR - http://www.scopus.com/inward/record.url?scp=85086152747&partnerID=8YFLogxK
U2 - 10.1016/j.jss.2020.110653
DO - 10.1016/j.jss.2020.110653
M3 - Article
AN - SCOPUS:85086152747
SN - 0164-1212
VL - 172
JO - Journal of Systems and Software
JF - Journal of Systems and Software
M1 - 110653
ER -