Journal
JOURNAL OF SYSTEMS AND SOFTWARE
Volume 172, Issue -, Pages -Publisher
ELSEVIER SCIENCE INC
DOI: 10.1016/j.jss.2020.110653
Keywords
Software reuse; Security vulnerabilities; Case study; Open-source software
Ask authors/readers for more resources
The study found that larger projects are associated with an increase in potential vulnerabilities, and there is a strong correlation between the number of dependencies and vulnerabilities. Source code reuse is neither a solution to eliminate vulnerabilities nor a cause for an excessive number of vulnerabilities.
Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them. (C) 2020 Published by Elsevier Inc.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available