Inbal Yahav,Ron S. Kenett,Xiaoying Bai

DOI: https://doi.org/10.1007/978-3-662-45231-8_22

2014-01-01

Abstract:The increasing adoption of open source software (OSS) components in software systems introduces new quality risks and testing challenges. OSS components are developed and maintained by open communities and the fluctuation of community members and structures can result in instability of the software quality. Hence, an investigation is necessary to analyze the impact open community dynamics and the quality of the OSS, such as the level and trends in internal communications and content distribution. The analysis results provide inputs to drive selective testing for effective validation and verification of OSS components. The paper suggests an approach for monitoring community dynamics continuously, including communications like email and blogs, and repositories of bugs and fixes. Detection of patterns in the monitored behavior such as changes in traffic levels within and across clusters can be used in turn to drive testing efforts. Our proposal is demonstrated in the case of the XWiki OSS, a Java-based environment that allows for the storing of structured data and the execution of server side scripts within the wiki interface. We illustrate our concepts, methods and approach behind this approach for risk based testing of OSS.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3663529.3663835

2024-01-01

Abstract:Today’s software industry heavily relies on open source software (OSS). However, the rapidly increasing number of OSS software vulnerabilities (SVs) poses huge security risks to the software supply chain. Managing the SVs in the relied OSS components has become a critical concern for software vendors. Due to the limited resources in practice, an essential focus for the vendors is to locate and prioritize the remediation of critical SVs (CSVs), i.e., those tend to cause huge losses. Particularly, in the software industry, vendors are obliged to comply with the security service level agreement (SLA), which mandates the fix of CSVs within a short time frame (e.g., 15 days). However, to the best of our knowledge, there is no empirical study that specifically investigates CSVs. The existing works only target at general SVs, missing a view of the unique characteristics of CSVs. In this paper, we investigate the distributions (from temporal, type, and repository dimension) and the current remediation practice of CSVs in the OSS ecosystem, especially their differences compared with non-critical SVs (NCSVs). We adopt the industry standard to refer SVs with a 9+ Common Vulnerability Scoring System (CVSS) score as CSVs and others as NCSVs. We collect a large-scale dataset containing 14,867 SVs and artifacts associated with their remediation (e.g., issue report, commit) across 4,462 GitHub repositories. Our findings regarding CSV distributions can help practitioners better locate these hot spots. Regarding the remediation practice, we observe that though CSVs receive higher priorities, some practices (e.g., complicated review and testing pro-cess) may unintentionally cause the delay to their fixes. We also point out the risks of SV information leakage during remediation process, which could leave a window-of-opportunity of over 30 days on median for zero-day attacks. Based on our findings, we provide implications to improve the current CSV remediation practice.

Jing Wang,Patrick C. Shih,Yu Wu,John M. Carroll

DOI: https://doi.org/10.1016/j.infsof.2015.06.002

IF: 3.9

2015-01-01

Information and Software Technology

Abstract:The power of open source software peer review lies in the involvement of virtual communities, especially users who typically do not have a formal role in the development process. As communities grow to a certain extent, how to organize and support the peer review process becomes increasingly challenging. A universal solution is likely to fail for communities with varying characteristics. This paper investigates differences of peer review practices across different open source software communities, especially the ones engage distinct types of users, in order to offer contextualized guidance for developing open source software projects. Comparative case studies were conducted in two well-established large open source communities, Mozilla and Python, which engage extremely different types of users. Bug reports from their bug tracking systems were examined primarily, complemented by secondary sources such as meeting notes, blog posts, messages from mailing lists, and online documentations. The two communities differ in the key activities of peer review processes, including different characteristics with respect to bug reporting, design decision making, to patch development and review. Their variances also involve the designs of supporting technology. The results highlight the emerging role of triagers, who bridge the core and peripheral contributors and facilitate the peer review process. The two communities demonstrate alternative designs of open source software peer review and their tradeoffs were discussed. It is concluded that contextualized designs of social and technological solutions to open source software peer review practices are important. The two cases can serve as learning resources for open source software projects, or other types of large software projects in general, to cope with challenges of leveraging enormous contributions and coordinating core developers. It is also important to improve support for triagers, who have not received much research effort yet.

Kholekile L. Gwebu,Jing Wang

DOI: https://doi.org/10.1016/j.dss.2010.12.010

IF: 6.969

2010-01-01

Decision Support Systems

Abstract:While the benefits of incorporating Open Source Software (OSS) into personal and organizational systems have been widely touted, OSS must be adopted and used by end users before these benefits can be realized. Drawing on research in information systems and sociology, this study develops and evaluates an integrated model for the acceptance of OSS. In addition to the traditional technology adoption variables the findings stress the importance of social identification as a key driver of OSS adoption. The proposed model provides a useful decision support tool for assessing and proactively designing interventions targeted at successful OSS adoption and diffusion.

John Sherlock,Manoj Muniswamaiah,Lauren Clarke,Shawn Cicoria

DOI: https://doi.org/10.48550/arXiv.1812.11697

2018-12-31

Other Computer Science

Abstract:Open Source Software (OSS) history is traced to initial efforts in 1971 at Massachusetts Institute of Technology (MIT) Artificial Intelligence (AI) Lab, the initial goals of OSS around Free vs. Freedom, and its evolution and impact on commercial and custom applications. Through OSS history, much of the research and has been around contributors (suppliers) to OSS projects, the commercialization, and overall success of OSS as a development process. In conjunction with OSS growth, intellectual property issues and licensing issues still remain. The consumers of OSS, application architects, in developing commercial or internal applications based upon OSS should consider license risk as they compose their applications using Component Based Software Development (CBSD) approaches, either through source code, binary, or standard protocols such as HTTP.

Jiaqi Wu,Lingfeng Bao,Xiaohu Yang,Xin Xia,Xing Hu

DOI: https://doi.org/10.1145/3643991.3644900

2024-01-01

Abstract:The popularity of open source software (OSS) has led to a significant increase in the number of available licenses, each with their own set of terms and conditions. This proliferation of licenses has made it increasingly challenging for developers to select an appropriate license for their projects and to ensure that they are complying with the terms of those licenses. As a result, there is a need for empirical studies to identify current practices and challenges in license usage, both to help developers make informed decisions about license selection and to ensure that OSS is being used and distributed in a legal and ethical manner. Moreover, the development of new licenses might be required to better meet the needs of the open source community and address emerging legal issues.In this paper, we conduct a large-scale empirical study of license usage across five package management platforms, i.e., Maven, NPM, PyPI, RubyGems, and Cargo. Our objective is to examine the current trends and potential issues in license usage of the OSS community. In total, we analyze the licenses of 33,710,877 packages across the selected five platforms. We statistically analyze licenses in package management platforms from multiple perspectives, e.g., license usage, license incompatibility, license updates, and license evolution. Moreover, we conduct a comparative study of various aspects of core packages and common packages in these platforms. Our results reveal irregularities in license names and license incompatibilities that require attention. We observe both similarities and differences in license usage across the five platforms, with Cargo being the most standardized among them. Finally, we discuss some implications for actions based on our findings.

Xiaozhou Li,Sergio Moreschini

DOI: https://doi.org/10.1007/978-3-030-75251-4_4

2021-01-01

Abstract:Open source software (OSS), playing an increasingly critical role nowadays, has been commonly adopted and integrated in various software products. For many practitioners, selecting and adopting suitable OSS can help them greatly. Though many studies have been conducted on proposing OSS evaluation and selection models, a limited number are followed and used in the industry. Meanwhile, many existing OSS evaluation tools, though providing valuable details, fall short on offering intuitive suggestions in terms of framework-supported evaluation factors. Towards filling the gap, we propose an Open Source Software Project Evaluation and Selection TOol (OSS PESTO). Targeting OSS on Github, the largest OSS source code host, it facilitates the evaluation practice by enabling practitioners to compare candidates therein in terms of selected OSS evaluation models. It also allows in-time Github data collection and customized evaluation that enriches its effectiveness and ease of use.

Stan Zajdel,Diego Elias Costa,Hafedh Mili

DOI: https://doi.org/10.48550/arXiv.2206.10358

2022-06-21

Software Engineering

Abstract:The Open Source Software movement has been growing exponentially for a number of years with no signs of slowing. Driving this growth is the widespread availability of libraries and frameworks that provide many functionalities. Developers are saving time and money incorporating this functionality into their applications resulting in faster more feature-rich releases. Despite the growing success and the advantages that open source software provides, there is a dark side. Due to its community construction and largely unregulated distribution, the majority of open source software contains bugs, vulnerabilities and other issues making it highly susceptible to exploits. The lack of oversight, in general, hinders the quality of this software resulting in a trickle-down effect in the applications that use it. Additionally, developers who use open source tend to arbitrarily download the software into their build systems but rarely keep track of what they have downloaded resulting in an excessive amount of open source software in their applications and in their ecosystem. This paper discusses processes and practices that users of open source software can implement into their environments that can safely track and control the introduction and usage of open source software into their applications, and report on some preliminary results obtained in an industrial context. We conclude by discussing governance issues related to the disciplined use and reuse of open source and areas for further improvements.

Mario Silic,Andrea Back

DOI: https://doi.org/10.1142/s0219622015500364

2016-01-01

Abstract:“Nobody ever got fired for buying IBM,” was a widely used cliché in the 1970s in the corporate IT (information technology) world. Since then, the traditional process of purchasing software has dramatically changed, challenged by the advent of open source software (OSS). Since its inception in the 1980s, OSS has matured, grown, and become one of the important driving forces of the enterprise ecosystem. However, it has also brought important IT security risks that are impacting the OSS IT adoption decision-making process. The recent Heartbleed bug demonstrated the grandeur of the issue. While much of the noise relates to the amplification of perceived risks by the popular mass media coverage, the effect is that many enterprises, mainly for risk reasons, have still chosen not to adopt OSS. We investigated “how do information security related characteristics of OSS affect the risk perception and adoption decision of OSS” by conducting an online survey of 188 IT decision-makers. The proposed Open Source Risk Adoption Model offers novel insights on the importance of the perceived risk antecedents. Our research brings new theoretical contributions, such as understanding the perceived IT security risk (PISR) relationship with adoption intention (AI) in the OSS context, for researchers and important insights for IT information professionals. We have found that IT security risk has a significant role in OSS adoption intention. Our results offer possible future research directions and extend existing theoretical understanding of OSS adoption.

computer science, information systems, artificial intelligence, interdisciplinary applications,operations research & management science

Michael Felderer,Ina Schieferdecker

DOI: https://doi.org/10.48550/arXiv.1912.11519

2019-12-25

Abstract:Software testing has often to be done under severe pressure due to limited resources and a challenging time schedule facing the demand to assure the fulfillment of the software requirements. In addition, testing should unveil those software defects that harm the mission-critical functions of the software. Risk-based testing uses risk (re-)assessments to steer all phases of the test process in order to optimize testing efforts and limit risks of the software-based system. Due to its importance and high practical relevance several risk-based testing approaches were proposed in academia and industry. This paper presents a taxonomy of risk-based testing providing a framework to understand, categorize, assess, and compare risk-based testing approaches to support their selection and tailoring for specific purposes. The taxonomy is aligned with the consideration of risks in all phases of the test process and consists of the top-level classes risk drivers, risk assessment, and risk-based test process. The taxonomy of risk-based testing has been developed by analyzing the work presented in available publications on risk-based testing. Afterwards, it has been applied to the work on risk-based testing presented in this special section of the International Journal on Software Tools for Technology Transfer.

Software Engineering

Jie Xu,Luiz Fernando Capretz,Danny Ho

DOI: https://doi.org/10.48550/arXiv.1507.06906

2015-07-25

Abstract:Software quality assurance has been a heated topic for several decades, but relatively few analyses were performed on open source software (OSS). As OSS has become very popular in our daily life, many researchers have been keen on the quality practices in this area. Although quality management presents distinct patterns compared with those in closed-source software development, some widely used OSS products have been implemented. Therefore, quality assurance of OSS projects has attracted increased research focuses. In this paper, a survey is conducted to reveal the general quality practices in open source communities. Exploratory analysis has been carried out to disclose those quality related activities. The results are compared with those from closed-source environments and the distinguished features of the quality assurance in OSS projects have been confirmed. Moreover, this study suggests potential directions for OSS developers to follow.

Software Engineering

Xiaoying Bai,Ron S. Kenett

2009-01-01

Abstract:Comprehensive testing is necessary to ensure the quality of complex web services that are loosely coupled, dynamic bound and integrated through standard protocols. Testing of such web services ca n be however very expensive due to the diversified us er requirements and the large numbers of service combinations delivered by the open platform. Group testing was introduced in our previous research as a selective testing technique to reduce test cost and improve test efficiencies. This paper proposes a ri sk- based approach to group test selection. With this approach test cases are categorized and scheduled with respect to the risks of their target service features. The paper reports a first attempt for an ontology-b ased quantitative risk assessment of semantic web servic es. The failure rate and the importance of services are estimated based on a complexity and dependency analysis of the ontology specified domain knowledge model and various service model. The paper also discusses the risk-based group testing process and strategies for ranking and ruling-out services of t he test groups, at each risk level. Runtime monitoring mechanism is incorporated to detect the dynamic changes in service configuration and composition so that the risks can be continuously adjusted online.

Frederik L. Dennig,Eren Cakmak,Henrik Plate,Daniel A. Keim

DOI: https://doi.org/10.1109/vizsec53666.2021.00014

2021-10-01

Abstract:The prevalent usage of open-source software (OSS) has led to an increased interest in resolving potential third-party security risks by fixing common vulnerabilities and exposures (CVEs). However, even with automated code analysis tools in place, security analysts often lack the means to obtain an overview of vulnerable OSS reuse in large software organizations. In this design study, we propose VULNEX (Vulnerability Explorer), a tool to audit entire software development organizations. We introduce three complementary table based representations to identify and assess vulnerability exposures due to OSS, which we designed in collaboration with security analysts. The presented tool allows examining problematic projects and applications (repositories), third-party libraries, and vulnerabilities across a software organization. We show the applicability of our tool through a use case and preliminary expert feedback.

Xiaoying Bai,Ron S. Kenett

DOI: https://doi.org/10.1109/COMPSAC.2009.180

2009-01-01

Abstract:Comprehensive testing is necessary to ensure the quality of complex web services that are loosely coupled, dynamic bound and integrated through standard protocols. Testing of such web services can be however very expensive due to the diversified user requirements and the large numbers of service combinations delivered by the open platform. Group testing was introduced in our previous research as a selective testing technique to reduce test cost and improve test efficiencies. It applies test cases efficiently so that the largest percent of problematic web service is detected as early as possible. The paper proposes a risk-based approach to group test selection. With this approach, test cases are categorized and scheduled with respect to the risks of their target service features. The approach is based on the assumption that for a service-based system, the tolerance to a feature’s failure is an inverse ratio to its risk. The risky features should be tested earlier and with more tests. We specially address the problem in the context of semantic Web Services and report a first attempt for an ontology-based quantitative risk assessment. The paper also discusses risk-based group testing process and strategies for ranking and ruling-out services of the test groups, at each risk level. Runtime monitoring mechanism is incorporated to detect the dynamic changes in service configuration and composition so that the risks can be continuously adjusted online.

Xiaoying Bai,Ron S. Kenett,Wei Yu

DOI: https://doi.org/10.1142/S0218194012500167

IF: 1.007

2012-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Testing is necessary to ensure the quality of web services that are loosely coupled, dynamic bound and integrated through standard protocols. Exhaustive testing of web services is usually impossible due to unavailable source code, diversified user requirements and large number of possible service combinations delivered by the open platform. This paper proposes a risk-based approach for selecting and prioritizing test cases for testing service-based systems. We specially address the problem in the context of semantic web services. Semantic web services introduce semantics to service integration and interoperation using ontology models and specifications. Semantic errors are considered more difficult to detect than syntactic errors. Due to the complexity of conceptual uniformity, it is hard to ensure the completeness, consistency and unified quality of ontology model. A failure of the semantic service-based software may result from many factors such as misused data, unsuccessful service binding, and unexpected usage scenarios. This work analyzes the two factors of risk estimation: failure probability and importance, from three aspects: ontology data, service and composite service. With this approach, test cases are associated to semantic features, and are scheduled based on the risks of their target features. Risk assessment is used to control the process of Web Services progressive group testing, including test case ranking, test case selection and service ruling out. This paper discusses the control architecture and adaptive measurement mechanism for adaptive group testing. As a statistical testing technique, the proposed approach aims to detect, as early as possible, the problems with highest impact on the users.

Florian Angermeir,Markus Voggenreiter,Fabiola Moyón,Daniel Mendez,Fabiola Moyon

DOI: https://doi.org/10.1109/icse-seip52600.2021.00037

2021-05-01

Abstract:Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.

Jessy Ayala,Yu-Jye Tung,Joshua Garcia

2024-09-12

Abstract:In open-source software (OSS), software vulnerabilities have significantly increased. Although researchers have investigated the perspectives of vulnerability reporters and OSS contributor security practices, understanding the perspectives of OSS maintainers on vulnerability management and platform security features is currently understudied. In this paper, we investigate the perspectives of OSS maintainers who maintain projects listed in the GitHub Advisory Database. We explore this area by conducting two studies: identifying aspects through a listing survey ($n_1=80$) and gathering insights from semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find that supply chain mistrust and lack of automation for vulnerability management are the most challenging, and barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary. Surprisingly, we find that despite being previously vulnerable, some maintainers still allow public vulnerability reporting, or ignore reports altogether. Based on our findings, we discuss implications for OSS platforms and how the research community can better support OSS vulnerability management efforts.

Software Engineering,Cryptography and Security

Nusrat Zahan

DOI: https://doi.org/10.1109/ICSE-Companion58688.2023.00068

2023-05-01

Abstract:Sonatype has recorded an average 700% jump in software supply chain attacks [1], measured by the number of newly-published malicious packages in open-source repositories. The 2022 Synopsys report [2] assessed the reliance of the software industry on open-source software (OSS), and estimated that 97% of applications use OSS and 78% of the code comes from OSS. Practitioners did not anticipate how the software supply chain would become a deliberate attack vector and how the risk of the software supply chain would keep growing. Practitioners are more aware of the supply chain risks and want to know how to detect the implementation of package security practices and the security risk so they can make informed decisions to select dependencies for their projects. The goal of this research is to aid practitioners in producing more secure software products that are resistant to supply chain attacks through the identification and evaluation of actionable security metrics to detect risky components in the dependency graph. To achieve this goal, the thesis presents research on software security metrics evaluation in different ecosystems by leveraging software security frameworks, malicious attack vectors, and the OpenSSF Scorecard project to detect the implementation of secure practices and their significance to security outcomes.

Computer Science,Business,Engineering

Dana Sulistiyo Kusumo,Mark Staples,Liming Zhu,He Zhang,D. Ross Jeffery

DOI: https://doi.org/10.1049/ic.2012.0031

2012-01-01

Abstract:Background- Risks associated with a software project have the potential to affect all stakeholders. Today much software makes use of off-the-shelf (OTS) components. A better understanding of OTS-derived software risks will help to define responsibilities for these risks, and also to avoid them. Aim- Our objective is to identify, classify and compare risks of OTS-based software projects from both a software development and a software acquisition perspective. Method- To identify and classify the risks, we performed a systematic mapping study. In order to compare risks of OTS-based software development and acquisition in the real world setting, we used the mapping study results to survey occurrences of 11 shared risks in OTS-based software, in 35 OTS-based software developments and 34 OT-Sbased software acquisitions of Indonesian background. The survey is a partial replication of a previous study. Results- We identified 133 risks associated with OTS-based software development and 36 risks associated with OTS-based software acquisition. These risks are grouped into 17 risk categories. Risks occurred more frequently in software acquisition than in software development. In addition, two risks, insufficient OTS component documents and lack of provider technical support and training, frequently occurred only in the software development. Conclusions- In OTS-based projects, most risks for acquisition and development are similar. Technical-related risks are found less often in acquisition and project management related risks are found less often in development. Shared risks are perceived differently by developers and acquirers. Better understanding of actual and perceived risk in OTS-based software projects will improve risk management. Further work to validate these results is ongoing.

Yukako Iimura,Masanari Kondo,Kazushi Tomoto,Yasutaka Kamei,Naoyasu Ubayashi,Shinobu Saito

2024-04-14

Abstract:We have selected six myths about the OSS community and have tested whether they are true or not. The purpose of this report is to identify the lessons that can be learned from the development style of the OSS community and the issues that need to be addressed in order to achieve better Employee Experience (EX) in software development within companies and organizations. The OSS community has been led by a group of skilled developers known as hackers. We have great respect for the engineers and activities of the OSS community and aim to learn from them. On the other hand, it is important to recognize that having high expectations can sometimes result in misunderstandings. When there are excessive expectations and concerns, misunderstandings (referred to as myths) can arise, particularly when individuals who are not practitioners rely on hearsay to understand the practices of practitioners. We selected the myths to be tested based on a literature review and interviews. These myths are held by software development managers and customers who are not direct participants in the OSS community. We answered questions about each myth through: 1) Our own analysis of repository data, 2) A literature survey of data analysis conducted by previous studies, or 3) A combination of the two approaches.

Software Engineering