Methodology for Validating Software Metrics
IEEE Transactions on Software Engineering
The mythical man-month (anniversary ed.)
The mythical man-month (anniversary ed.)
IEEE Transactions on Pattern Analysis and Machine Intelligence
The Cathedral and the Bazaar
Does Open Source Improve System Security?
IEEE Software
IEEE Transactions on Pattern Analysis and Machine Intelligence
Network Analysis: Methodological Foundations (Lecture Notes in Computer Science)
Network Analysis: Methodological Foundations (Lecture Notes in Computer Science)
Use of relative code churn measures to predict system defect density
Proceedings of the 27th international conference on Software engineering
Software Security: Building Security In
Software Security: Building Security In
Increased security through open source
Communications of the ACM - The patent holder's dilemma: buy, sell, or troll?
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
The influence of organizational structure on software quality: an empirical case study
Proceedings of the 30th international conference on Software engineering
Can developer-module networks predict failures?
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Predicting failures with developer networks and social network analysis
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Latent social structure in open source projects
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Secure open source collaboration: an empirical study of linus' law
Proceedings of the 16th ACM conference on Computer and communications security
IEEE Transactions on Software Engineering
Socio-technical developer networks: should we trust our measurements?
Proceedings of the 33rd International Conference on Software Engineering
Does adding manpower also affect quality?: an empirical, longitudinal analysis
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
Interactive churn metrics: socio-technical variants of code churn
ACM SIGSOFT Software Engineering Notes
Hi-index | 0.00 |
Open source software is often considered to be secure because large developer communities can be leveraged to find and fix security vulnerabilities. Eric Raymond states Linus' Law as "many eyes make all bugs shallow", reasoning that a diverse set of perspectives improves the quality of a software product. However, at what point does the multitude of developers become "too many cooks in the kitchen", causing the system's security to suffer as a result? In a previous study, we quantified Linus' Law and "too many cooks in the kitchen" with developer activity metrics and found a statistical association between these metrics and security vulnerabilities in the Linux kernel. In the replication study reported in this paper, we performed our analysis on two additional projects: the PHP programming language and the Wireshark network protocol analyzer. We also updated our Linux kernel case study with 18 additional months of newly-discovered vulnerabilities. In all three case studies, files changed by six developers or more were at least four times more likely to have a vulnerability than files changed by fewer than six developers. Furthermore, we found that our predictive models improved on average when combining data from multiple projects, indicating that models can be transferred from one project to another.