Abstract
Open source software (OSS) communities are groups of individuals, technical or non-technical, interacting with collaborating peers in online communities of practices to develop OSS, solve particular software problems and exchange ideas. People join OSS communities with a different level of programming skills and experience and might lack formal, college-level software security training. There remains a lot of confusion in participants’ mind as to what is secured code and what the project wants. Another problem is that the huge amount of available software security information nowadays has resulted in a form of information overload to software engineers, who usually finish studying it with no clue about how to apply those principles properly to their own applications. This leads to a knowledge gap between knowledge available and knowledge required to build secure applications in the context of software projects. Given the increased importance and complexity of OSS in today’s world, lacking proper security knowledge to handle vulnerabilities in OSS development will result in breaches that are more serious in the future. The goal of this research work is to fill the knowledge gap by providing an artifact that would facilitate the effective security-knowledge transferring and learning in the context of OSS development. In this work-in-progress paper, we present our ongoing research work following design science research methodology on the domain problem identification and the development of the artifact.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Humes, L.L.: Communities of practice for open source software. In: Handbook of Research on Open Source Software: Technological, Economic, and Social Perspectives, pp. 610–623. IGI Global (2007)
Scacchi, W., et al.: Understanding free/open source software development processes. Softw. Process: Improv. Pract. 11(2), 95–105 (2006)
Feller, J., Fitzgerald, B.: Understanding Open Source Software Development. Addison-Wesley, London (2002)
Feller, J., Finnegan, P., Kelly, D., MacNamara, M.: Developing open source software: a community-based analysis of research. In: Trauth, E.M., Howcroft, D., Butler, T., Fitzgerald, B., DeGross, J.I. (eds.) Social Inclusion: Societal and Organizational Implications for Information Systems. IIFIP, vol. 208, pp. 261–278. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-34588-4_18
NorthBridge: 2016 Future of Open Source Survey. http://www.northbridge.com/2016-future-open-source-survey-results
BlackDuck Software: 2017 Open Source Security and Risk Analysis. https://www.blackducksoftware.com/open-source-security-risk-analysis-2017
Wen, S.-F.: Software security in open source development: a systematic literature review. In: Proceedings of the 21st Conference of Open Innovations Association FRUCT, Helsinki, Finland (2017)
Pittenger, M.: Know your open source code. Netw. Secur. 2016(5), 11–15 (2016)
Levy, J.: Top Open Source Security Vulnerabilities. WhiteSource Blog. https://www.whitesourcesoftware.com/whitesource-blog/open-source-security-vulnerability/. Accessed 22 June 2018
Agrawal, A., et al.: We Don’t Need Another Hero? The Impact of “Heroes” on Software Development. arXiv preprint arXiv:1710.09055 (2017)
Benbya, H., Belbaly, N.: Understanding developers’ motives in open source projects: a multi-theoretical framework (2010)
Jaatun, M.G., et al.: A lightweight approach to secure software engineering. In: A Multidisciplinary Introduction to Information Security, p. 183 (2011)
McGraw, G.: Software Security: Building Security In, vol. 1. Addison-Wesley Professional, Boston (2006)
Apvrille, A., Pourzandi, M.: Secure software development by example. IEEE Secur. Priv. 3(4), 10–17 (2005)
Wen, S.-F.: Hyper contextual software security management for open source software. In: STPIS@ CAiSE (2016)
Mead, N.R., et al.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional, Boston (2004)
Viega, J., McGraw, G.R.: Building Secure Software: How to Avoid Security Problems the Right Way (2001)
Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC). IEEE (2011)
Graff, M., Van Wyk, K.R.: Secure Coding: Principles and Practices. O’Reilly Media, Inc., Sebastopol (2003)
Birkenkrahe, M.: How large multi-nationals manage their knowledge. Bus. Rev. 4(2), 2–12 (2002)
Vaishnavi, V., Kuechler, W.: Design research in information systems (2004)
Von Alan, R.H., et al.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004)
Sharp, H., Dittrich, Y., de Souza, C.R.: The role of ethnographic studies in empirical software engineering. IEEE Trans. Softw. Eng. 42(8), 786–804 (2016)
Baxter, G., Sommerville, I.: Socio-technical systems: from design methods to systems engineering. Interact. Comput. 23(1), 4–17 (2011)
Kuhn, D.R., Raunak, M., Kacker, R.: An analysis of vulnerability trends, 2008–2016. In: 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). IEEE (2017)
May, T.: Social Research. McGraw-Hill Education, New York (UK) (2011)
Scacchi, W.: Understanding the requirements for developing open source software systems. In: IEE Proceedings–Software. IET (2002)
Kowalski, S.: IT insecurity: a multi-discipline inquiry. Ph.D. thesis, Department of Computer and System Sciences, University of Stockholm and Royal Institute of Technology, Sweden (1994). ISBN 91-7153-207-2
Al Sabbagh, B., Kowalski, S.: A socio-technical framework for threat modeling a software supply chain. In: The 2013 Dewald Roode Workshop on Information Systems Security Research, Niagara Falls, New York, USA, 4–5 October 2013. International Federation for Information Processing (2013)
Bider, I., Kowalski, S.: A framework for synchronizing human behavior, processes and support systems using a socio-technical approach. In: Bider, I., et al. (eds.) BPMDS/EMMSAD -2014. LNBIP, vol. 175, pp. 109–123. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43745-2_8
Karokola, G., Yngström, L., Kowalski, S.: Secure e-government services: a comparative analysis of e-government maturity models for the developing regions–the need for security services. Int. J. Electron. Gov. Res. (IJEGR) 8(1), 1–25 (2012)
Wahlgren, G., Kowalski, S.: Evaluation of escalation maturity model for IT security risk management: a design science work in progress. In: The 2014 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13. IFIP (2014)
Anttila, J., et al.: Fulfilling the needs for information security awareness and learning in information society. In: The 6th Annual Security Conference, Las Vegas (2007)
Pan, S.L., Scarbrough, H.: Knowledge management in practice: an exploratory case study. Technol. Anal. Strateg. Manag. 11(3), 359–374 (1999)
Al Sabbagh, B., Kowalski, S.: Developing social metrics for security modeling the security culture of it workers individuals (case study). In: 2012 Mosharaka International Conference on Communications, Computers and Applications (MIC-CCA). IEEE (2012)
Gruber, T.R.: A translation approach to portable ontology specifications. Knowl. Acquisition 5(2), 199–220 (1993)
Wand, Y., Storey, V.C., Weber, R.: An ontological analysis of the relationship construct in conceptual modeling. ACM Trans. Database Syst. (TODS) 24(4), 494–528 (1999)
Gruber, T.R.: Toward principles for the design of ontologies used for knowledge sharing? Int. J. Hum. Comput. Stud. 43(5–6), 907–928 (1995)
Uschold, M., Gruninger, M.: Ontologies: principles, methods and applications. Knowl. Eng. Rev. 11(2), 93–136 (1996)
Noy, N.F., McGuinness, D.L.: Ontology development 101: a guide to creating your first ontology. Stanford Knowledge Systems Laboratory Technical Report KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880, Stanford, CA (2001)
Wang, X., et al.: Semantic space: an infrastructure for smart spaces. IEEE Pervasive Comput. 3(3), 32–39 (2004)
Gruninger, M.: Ontology: applications and design. Commun. ACM 45(2), 39–41 (2002)
Khan, M.U.A., Zulkernine, M.: Quantifying security in secure software development phases. In: 32nd Annual IEEE International Computer Software and Applications, COMPSAC 2008. IEEE (2008)
Chandra, P.: The Software Assurance Maturity Model-A guide to building security into software development (2009)
Landwehr, C.E., et al.: A taxonomy of computer program security flaws. ACM Comput. Surv. (CSUR) 26(3), 211–254 (1994)
MITRE: Common Weakness Enumeration, Frequently Asked Questions. https://cwe.mitre.org/about/faq.html#A.1
O’donnell, A.M., Dansereau, D.F., Hall, R.H.: Knowledge maps as scaffolds for cognitive processing. Educ. Psychol. Rev. 14(1), 71–86 (2002)
Tudorache, T., et al.: WebProtégé: a collaborative ontology editor and knowledge acquisition tool for the web. Semant. Web 4(1), 89–99 (2013)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Wen, SF., Kianpour, M., Katt, B. (2019). Security Knowledge Management in Open Source Software Communities. In: Lanet, JL., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2018. Lecture Notes in Computer Science(), vol 11359. Springer, Cham. https://doi.org/10.1007/978-3-030-12942-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-12942-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12941-5
Online ISBN: 978-3-030-12942-2
eBook Packages: Computer ScienceComputer Science (R0)