Article

Software Security in Open Source Development: A Systematic Literature Review

Author:

Shao-Fang WenAuthors Info & Claims

FRUCT'21: Proceedings of the 21st Conference of Open Innovations Association FRUCT

Pages 364 - 373

https://doi.org/10.23919/FRUCT.2017.8250205

Published: 13 November 2017 Publication History

Abstract

Despite the security communitys emphasis on the importance of building secure open source software (OSS), the number of new vulnerabilities found in OSS is increasing. In addition, software security is about the people that develop and use those applications and how their vulnerable behaviors can lead to exploitation. This leads to a need for reiteration of software security studies for OSS developments to understand the existing security practices and the security weakness among them. In this paper, a systematic review method with a socio- technical analysis approach is applied to identify, extract and analyze the security studies conducted in the context of open source development. The findings include: (1) System verification is the most cited security area in OSS research; (2) The socio-technical perspective has not gained much attention in this research area; and (3) No research has been conducted focusing on the aspects of security knowledge management in OSS development.

References

[1]

Abunadi, I. and M. Alenezi (2015). "Towards cross project vulnerability prediction in open source web applications". Proceedings of the The International Conference on Engineering & MIS 2015, ACM.

Digital Library

[2]

Alenezi, M. and Y. Javed (2016). "Open source web application security: A static analysis approach". Engineering & MIS (ICEMIS), International Conference on, IEEE.

[3]

Alnaeli, S. M., M. Sarnowski, M. S. Aman, K. Yelamarthi, A. Abdelgawad and H. Jiang (2016). "On the evolution of mobile computing software systems and C/C++ vulnerable code: Empirical investigation". Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), IEEE Annual, IEEE.

[4]

Altinkemer, K., J. Rees and S. Sridhar (2008). "Vulnerabilities and patches of open source software: an empirical study." Journal of Information System Security. volume 4, issue 2, pp. 3-25.

[5]

Anbalagan, P. and M. Vouk (2009). "Towards a unifying approach in understanding security problems". ISSRE'09. 20th International Symposium on Software Reliability Engineering, IEEE.

Digital Library

[6]

Anbalagan, P. and M. Vouk (2010). "Towards a bayesian approach in modeling the disclosure of unique security faults in open source projects". IEEE 21st International Symposium on Software Reliability Engineering (ISSRE), IEEE.

Digital Library

[7]

Banday, M. T. (2011). "Ensuring Authentication and Integrity of Open Source Software using Digital Signature." International Journal of Computer Application (IJCA), Special Issue on "Network Security and Cryptography", 2011

[8]

Black Duck Software (2016). "Security in the age of open source " Web: https://www.slideshare.net/blackducksoftware/september- 13-2016-security-in-the-age-of-open-source.

[9]

Bosu, A. (2014). "Characteristics of the vulnerable code changes identified through peer code review". Companion Proceedings of the 36th International Conference on Software Engineering, ACM.

Digital Library

[10]

Bosu, A. and J. C. Carver (2014). "Impact of developer reputation on code review outcomes in OSS projects: an empirical investigation". Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ACM.

Digital Library

[11]

Bosu, A., J. C. Carver, M. Hafiz, P. Hilley and D. Janni (2014). "Identifying the characteristics of vulnerable code changes: An empirical study". Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, ACM.

Digital Library

[12]

Bosu, A., J. C. Carver, M. Hafiz, P. Hilley and D. Janni (2014). "When are OSS developers more likely to introduce vulnerable code changes? A case study". IFIP International Conference on Open Source Systems, Springer.

[13]

Chandra, P. (2009). "The Software Assurance Maturity Model-A guide to building security into software development." Web: http://www.opensamm.org/

[14]

Chehrazi, G., I. Heimbach and O. Hinz (2016). "The impact of security by design on the success of open source software". Research Papers. ECIS 2016 Proceedings, Paper 179.

[15]

Colomina, I., J. Arnedo-Moreno and R. Clarisa (2013). "A study on practices against malware in free software projects". 2013 27th International Conference on Advanced Information Networking and Applications Workshops, IEEE.

Digital Library

[16]

Cowan, C. (2003). "Software security for open-source systems." IEEE Security & Privacy. volume 99, issue 1, pp. 38-45.

Digital Library

[17]

Crowston, K. and B. Scozzi (2008). "Bug fixing practices withinfree/libre open source software development teams." Journal of Database Management, Volume 19, Issue 2, Number 2, pp. 1-30.

[18]

Crowston, K., K. Wei, J. Howison and A. Wiggins (2012). "Free/Libre open-source software development: What we know and what we do not know." ACM Computing Surveys (CSUR). volume 44, issue 2, pp. 7.

Digital Library

[19]

Dabbish, L., C. Stuart, J. Tsay and J. Herbsleb (2012). "Social coding in GitHub: transparency and collaboration in an open software repository". Proceedings of the ACM 2012 conference on Computer Supported Cooperative Work, ACM.

Digital Library

[20]

Damasevicius, R. (2007). "Analysis of software design artifacts for socio-technical aspects." INFOCOMP Journal of Computer Science. volume 6, issue 4, pp. 7-16.

[21]

Damasevicius, R. (2009). On the human, organizational, and technical aspects of software development and analysis. Information Systems Development, Springer: 11-19.

[22]

Damiani, E., C. A. Ardagna and N. El Ioini (2009). OSS security certification. Open Source Systems Security Certification, Springer: 1-36.

[23]

Ducheneaut, N. (2005). "Socialization in an open source software community: A socio-technical analysis." Computer Supported Cooperative Work (CSCW). volume 14, issue 4, pp. 323-368.

Digital Library

[24]

Edwards, N. and L. Chen (2012). "An historical examination of open source releases and their vulnerabilities". Proceedings of the 2012 ACM conference on Computer and communications security, ACM.

Digital Library

[25]

Erturk, E. (2012). "A case study in open source software security and privacy: Android adware". World Congress on Internet Security (WorldCIS-2012), IEEE.

[26]

Feller, J., P. Finnegan, D. Kelly and M. MacNamara (2006). Developing open source software: a community-based analysis of research. Social Inclusion: Societal and Organizational Implications for Information Systems, Springer: 261-278.

[27]

Feng, Q., R. Kazman, Y. Cai, R. Mo and L. Xiao (2016). "Towards an architecture-centric approach to security analysis". 2016 13th Working IEEE/IFIP Conference on Software Architecture (WICSA), IEEE.

[28]

Fortify's Security Research Group (2008). "Open Source Security Study: How Are Open Source development communities embracing Security Best practices?".

[29]

Fox, W. M. (1995). "Sociotechnical system principles and guidelines: past and present." The Journal of Applied Behavioral Science. volume 31, issue 1, pp. 91-105.

[30]

Groven, A.-K., K. Haaland, R. Glott and A. Tannenberg (2010). "Security measurements within the framework of quality assessment models for free/libre open source software". Proceedings of the 4th European conference on Software Architecture, ACM.

Digital Library

[31]

Hales, D. and C. Douce (2002). "Modelling Software Organisations". Proc. of PPIG.

[32]

Hauge, 0., C. Ayala and R. Conradi (2010). "Adoption of open source software in software-intensive organizations-A systematic literature review." Information and Software Technology. volume 52, issue 11, pp. 1133-1154.

Digital Library

[33]

Jordan, T. B., B. Johnson, J. Witschey and E. Murphy-Hill (2014). "Designing Interventions to Persuade Software Developers to Adopt Security Tools". Proceedings of the 2014 ACM Workshop on Security Information Workers, ACM.

Digital Library

[34]

Kim, B., J.-h. Song, J.-P. Park and M.-s. Jun (2015). Design of Exploitable Automatic Verification System for Secure Open Source Software. Advances in Computer Science and Ubiquitous Computing, Springer: 275-281.

[35]

Kitchenham, B. (2004). "Procedures for performing systematic reviews." Keele, UK, Keele University. volume 33, issue 2004, pp. 1-26.

[36]

Kitchenham, B. (2007). "Guidelines for performing systematic literature reviews in software engineering." Tech. rep., Software Engineering Group, School of Computer Science and Mathematics, Keele University, and Department of Computer Science, University of Durham, eBSE Technical Report, EBSE-2007-01.

[37]

Kowalski, S. (1994). "IT insecurity: a multi-discipline inquiry." PhD Thesis, Department of Computer and System Sciences, University of Stockholm and Royal Institute of Technology, Sweden. ISBN: 91-7153-207-2.

[38]

Krishnamurthy, S. and A. K. Tripathi (2006). "Bounty programs in free/libre/open source software." BITZER Jurgen, The Economics of Open Source Software Development, Lavoisier, Paris. volume, issue, pp. 165-183.

[39]

Levy, J. (2016). "Top Open Source Security Vulnerabilities." WhiteSourceBlog.Web: https://www.whitesourcesoftware.com/whitesource-blog/open- source-security-vulnerability/.

[40]

Li, Z., L. Tan, X. Wang, S. Lu, Y. Zhou and C. Zhai (2006). "Have things changed now?: an empirical study of bug characteristics inmodern open source software". Proceedings of the 1st workshop on Architectural and system support for improving software dependability, ACM.

Digital Library

[41]

Meneely, A., A. C. R. Tejeda, B. Spates, S. Trudeau, D. Neuberger,K. Whitlock, C. Ketant and K. Davis (2014). "An empirical investigation of socio-technical code review metrics and security vulnerabilities". Proceedings of the 6th International Workshop on Social Software Engineering, ACM.

Digital Library

[42]

Meneely, A. and L. Williams (2009). "Secure open source collaboration: an empirical study of linus' law". Proceedings of the 16th ACM conference on Computer and communications security, ACM.

Digital Library

[43]

Meneely, A. and L. Williams (2010). "Strengthening the empirical analysis of the relationship between Linus' Law and software security". Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ACM.

Digital Library

[44]

Meneely, A. and L. Williams (2011). "Socio-technical developer networks: Should we trust our measurements?". Proceedings of the 33rd International Conference on Software Engineering, ACM.

Digital Library

[45]

Michlmayr, M., F. Hunt and D. Probert (2005). "Quality practices and problems in free software projects". Proceedings of the First International Conference on Open Source Systems.

[46]

Mockus, A., R. T. Fielding and J. D. Herbsleb (2002). "Two case studies of open source software development: Apache and Mozilla." ACM Transactions on Software Engineering and Methodology (TOSEM). volume 11, issue 3, pp. 309-346.

Digital Library

[47]

Mourad, A., M.-A. Laverdiere and M. Debbabi (2006). "Security hardening of open source software". Conference on Privacy, Security and Trust.

Digital Library

[48]

Nagy, C. and S. Mancoridis (2009). "Static security analysis based on input-related software faults". CSMR'09. 13th European Conference on Software Maintenance and Reengineering, IEEE.

Digital Library

[49]

Pham, R., L. Singer, O. Liskin, F. Figueira Filho and K. Schneider (2013). "Creating a shared understanding of testing culture on a social coding site". 35th International Conference onSoftware Engineering (ICSE), IEEE.

Digital Library

[50]

Pham, R., L. Singer, O. Liskin, F. Figueira Filho and K. Schneider (2013). "Creating a shared understanding of testing culture on a social coding site". Software Engineering (ICSE), 2013 35th International Conference on, IEEE.

Digital Library

[51]

Pittenger, M. (2016). "Know your open source code." Network Security. volume 2016, issue 5, pp. 11-15.

Digital Library

[52]

Ransbotham, S. (2010). "An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software". Proceedings of the 9th Workshop on Economics of Information Security, Cambridge, MA, June 2010.

[53]

Ransbotham, S. (2010). "An Empirical Analysis of ExploitationAttempts Based on Vulnerabilities in Open Source Software". WEIS.

[54]

Ripoche, G. and L. Gasser (2003). "Scalable automatic extractionof process models for understanding F/OSS bug repair". Proceedings of ICSSEA'03.

[55]

Ryoo, J., B. Malone, P. A. Laplante and P. Anand (2016). "The use of security tactics in open source software projects." IEEE Transactions on Reliability. volume 65, issue 3, pp. 1195-1204.

[56]

Scacchi, W., J. Feller, B. Fitzgerald, S. Hissam and K. Lakhani (2006). "Understanding free/open source software development processes." Software Process: Improvement and Practice. volume 11, issue 2, pp. 95-105.

[57]

Stol, K.-J. and M. A. Babar (2009). "Reporting empirical research in open source software: the state of practice". IFIP International Conference on Open Source Systems, Springer.

[58]

Tan, L., C. Liu, Z. Li, X. Wang, Y. Zhou and C. Zhai (2014). "Bug characteristics in open source software." Empirical software engineering. volume 19, issue 6, pp. 1665-1705.

Digital Library

[59]

Tawileh, A., J. Hilton and S. Mcintosh (2006). Modelling the Economics of Free and Open Source Software Security. ISSE 2006-Securing Electronic Busines Processes, Springer: 326-335.

[60]

Tawileh, A., J. Hilton and S. Mcintosh (2006). "Modelling the Economics of Free and Open Source Software Security". ISSE 2006 - Securing Electronic Business Processes: Highlights of the Information Security Solutions Europe Conference, Springer.

[61]

Vangaveeti, A. (2015). "An Assessment of Security Problems in Open Source Software.".

[62]

Von Krogh, G. and E. Von Hippel (2006). "The promise of research on open source software." Management Science. volume 52, issue 7, pp. 975-983.

Digital Library

[63]

Vouk, M. and L. Williams (2013). "Using software reliability models for security assessment-Verification of assumptions". 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), IEEE.

[64]

Walden, J., M. Doyle, G. A. Welch and M. Whelan (2009). "Security of open source web applications". Proceedings of the 2009 3rd international Symposium on Empirical Software Engineering and Measurement, IEEE Computer Society.

Digital Library

[65]

Witschey, J. (2013). "Secure development tool adoption in open- source". Proceedings of the 2013 companion publication for conference on Systems, programming, & applications: software for humanity, ACM.

Digital Library

[66]

Xiao, S., J. Witschey and E. Murphy-Hill (2014). "Social influences on secure development tool adoption: why security tools spread". Proceedings of the 17th ACM conference on Computer supported cooperative work & social computing, ACM.

Digital Library

[67]

Xiong, M., L. Huang, A. Tolba, W. Wong, E. Vandenberg and M. El-Gammal (2004). "Perspectives on the Security of Open Source Software." eBook, ISBN: 9780262345774.

Cited By

Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Fucci DAlégroth EFelderer MJohannesson C(2024)Evaluating software security maturity using OWASP SAMMJournal of Systems and Software10.1016/j.jss.2024.112062214:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112062
Edward ENyamawe AElisa N(2024)A Survey on Secure RefactoringSN Computer Science10.1007/s42979-024-03325-y5:7Online publication date: 12-Oct-2024
https://dl.acm.org/doi/10.1007/s42979-024-03325-y
Show More Cited By

Software Security in Open Source Development: A Systematic Literature Review
1. Applied computing
2. Social and professional topics
  1. Professional topics
    1. Computing education
      1. Computing education programs

Recommendations

Learning secure programming in open source software communities: a socio-technical view
ICIET '18: Proceedings of the 6th International Conference on Information and Education Technology

In open source software (OSS) communities, volunteers collaborate and integrate expertise to develop the software online via the Internet in a decentralized, highly interactive and knowledge-intensive process. Development of qualified and secured ...
A systematic review of research on open source software in commercial software product development
EASE'10: Proceedings of the 14th international conference on Evaluation and Assessment in Software Engineering

Background: The popularity of the open source software development in the last decade, has brought about an increased interest from the industry on how to use open source components, participate in the open source community, build business models around ...
A systematic review of research on open source software in commercial software product development

Context: The popularity of the open source software development in the last decade, has brought about an increased interest from the industry on how to use open source components, participate in the open source community, build business models around ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

FRUCT'21: Proceedings of the 21st Conference of Open Innovations Association FRUCT

November 2017

407 pages

Editors:
Sergey Balandin
FRUCT Oy
,
Tatiana Tyutina

Publisher

FRUCT Oy

Helsinki, Uusimaa, Finland

Publication History

Published: 13 November 2017

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Butler AFilkov VRay BZhou M(2024)Software Supply Chain Risk: Characterization, Measurement & AttenuationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695608(2506-2509)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695608
Fucci DAlégroth EFelderer MJohannesson C(2024)Evaluating software security maturity using OWASP SAMMJournal of Systems and Software10.1016/j.jss.2024.112062214:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112062
Edward ENyamawe AElisa N(2024)A Survey on Secure RefactoringSN Computer Science10.1007/s42979-024-03325-y5:7Online publication date: 12-Oct-2024
https://dl.acm.org/doi/10.1007/s42979-024-03325-y
Weir CMigues SWare MWilliams LSpinellis DGousios GChechik MDi Penta M(2021)Infiltrating security into development: exploring the world’s largest software security studyProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3473926(1326-1336)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3473926
Alenezi MBasit HKhan FBeg MLi JJaccheri LDingsøyr TChitchyan R(2020)A Comparison Study of Available Sofware Security OntologiesProceedings of the 24th International Conference on Evaluation and Assessment in Software Engineering10.1145/3383219.3383292(499-504)Online publication date: 15-Apr-2020
https://dl.acm.org/doi/10.1145/3383219.3383292
Wen SKianpour MKowalski S(2019)An empirical study of security culture in open source software communitiesProceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining10.1145/3341161.3343520(863-870)Online publication date: 27-Aug-2019
https://dl.acm.org/doi/10.1145/3341161.3343520
Wen SKatt B(2019)Learning Software Security in ContextProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340336(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340336
Wen SKatt BAli SGarousi V(2019)Preliminary Evaluation of an Ontology-Based Contextualized Learning System for Software SecurityProceedings of the 23rd International Conference on Evaluation and Assessment in Software Engineering10.1145/3319008.3319017(90-99)Online publication date: 15-Apr-2019
https://dl.acm.org/doi/10.1145/3319008.3319017
Wen SKrishnamurthi MIinuma M(2018)Learning secure programming in open source software communitiesProceedings of the 6th International Conference on Information and Education Technology10.1145/3178158.3178202(25-32)Online publication date: 6-Jan-2018
https://dl.acm.org/doi/10.1145/3178158.3178202

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents