Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities

Antonios Gkortzis, Daniel Feitosa, Diomidis Spinellis

Research output: Contribution to journalArticleScientificpeer-review

Abstract

Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them.

Original languageEnglish
Article number110653
JournalJournal of Systems and Software
Volume172
DOIs
Publication statusPublished - 2021
Externally publishedYes

Keywords

  • Case study
  • Open-source software
  • Security vulnerabilities
  • Software reuse

Fingerprint

Dive into the research topics of 'Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities'. Together they form a unique fingerprint.

Cite this