Measuring subversions: security and legal risk in reused software artifacts

Authors:
Julius Davies
Affiliations:
University of Victoria, Victoria, BC, Canada
Venue:
Proceedings of the 33rd International Conference on Software Engineering
Year:
2011

Citing 10
Cited 1

Approximate Structural Context Matching: An Approach to Recommend Relevant Examples

IEEE Transactions on Software Engineering
Very-Large Scale Code Clone Analysis and Visualization of Open Source Programs Using Distributed CCFinder: D-CCFinder

ICSE '07 Proceedings of the 29th international conference on Software Engineering
OPUS: online patches and updates for security

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Software Component Models

IEEE Transactions on Software Engineering
Parseweb: a programmer assistant for reusing open source code on the web

Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
Semantics-based code search

ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Understanding and Auditing the Licensing of Open Source Software Distributions

ICPC '10 Proceedings of the 2010 IEEE 18th International Conference on Program Comprehension
A sentence-matching method for automatic license identification of source code files

Proceedings of the IEEE/ACM international conference on Automated software engineering
Toward automated detection of logic vulnerabilities in web applications

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Software bertillonage: finding the provenance of an entity

Proceedings of the 8th Working Conference on Mining Software Repositories

Software Bertillonage

Empirical Software Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

A software system often includes a set of library dependencies and other software artifacts necessary for the system's proper operation. However, long-term maintenance problems related to reused software can gradually emerge over the lifetime of the deployed system. In our exploratory study we propose a manual technique to locate documented security and legal problems in a set of reused software artifacts. We evaluate our technique with a case study of 81 Java libraries found in a proprietary e-commerce web application. Using our approach we discovered both a potential legal problem with one library, and a second library that was affected by a known security vulnerability. These results support our larger thesis: software reuse entails long-term maintenance costs. In future work we strive to develop automated techniques by which developers, managers, and other software stakeholders can measure, address, and minimize these costs over the lifetimes of their software assets.