When Are OSS Developers More Likely to Introduce Vulnerable Code Changes? A Case Study
We analyzed peer code review data of the Android Open Source Project (AOSP) to understand whether code changes that introduce security vulnerabilities, referred to as vulnerable code changes (VCC), occur at certain intervals. Using a systematic manual analysis process, we identified 60 VCCs. Our results suggest that AOSP developers were more likely to write VCCs prior to AOSP releases, while during the post-release period they wrote fewer VCCs.
KeywordsOpen Source OSS FOSS security vulnerability
- 1.Meneely, A., Williams, L.: Secure open source collaboration: an empirical study of linus’ law. In: Proc. 16th ACM Conf. on Comp. and Comm. Security, pp. 453–462 (2009)Google Scholar
- 2.Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proc. 14th ACM Conf. Comp. and Comm. Security, pp. 529–540 (2007)Google Scholar