4.5 Article

Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities

期刊

JOURNAL OF SYSTEMS AND SOFTWARE
卷 172, 期 -, 页码 -

出版社

ELSEVIER SCIENCE INC
DOI: 10.1016/j.jss.2020.110653

关键词

Software reuse; Security vulnerabilities; Case study; Open-source software

向作者/读者索取更多资源

The study found that larger projects are associated with an increase in potential vulnerabilities, and there is a strong correlation between the number of dependencies and vulnerabilities. Source code reuse is neither a solution to eliminate vulnerabilities nor a cause for an excessive number of vulnerabilities.
Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them. (C) 2020 Published by Elsevier Inc.

作者

我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。

评论

主要评分

4.5
评分不足

次要评分

新颖性
-
重要性
-
科学严谨性
-
评价这篇论文

推荐

暂无数据
暂无数据