When Are OSS Developers More Likely to Introduce Vulnerable Code Changes? A Case Study

  • Amiangshu Bosu
  • Jeffrey C. Carver
  • Munawar Hafiz
  • Patrick Hilley
  • Derek Janni
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 427)

Abstract

We analyzed peer code review data of the Android Open Source Project (AOSP) to understand whether code changes that introduce security vulnerabilities, referred to as vulnerable code changes (VCC), occur at certain intervals. Using a systematic manual analysis process, we identified 60 VCCs. Our results suggest that AOSP developers were more likely to write VCCs prior to AOSP releases, while during the post-release period they wrote fewer VCCs.

Keywords

Open Source OSS FOSS security vulnerability 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Meneely, A., Williams, L.: Secure open source collaboration: an empirical study of linus’ law. In: Proc. 16th ACM Conf. on Comp. and Comm. Security, pp. 453–462 (2009)Google Scholar
  2. 2.
    Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proc. 14th ACM Conf. Comp. and Comm. Security, pp. 529–540 (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Amiangshu Bosu
    • 1
  • Jeffrey C. Carver
    • 1
  • Munawar Hafiz
    • 2
  • Patrick Hilley
    • 3
  • Derek Janni
    • 4
  1. 1.University of AlabamaUSA
  2. 2.Auburn UniversityUSA
  3. 3.Providence CollegeUSA
  4. 4.Lewis & Clark CollegeUSA

Personalised recommendations