When Are OSS Developers More Likely to Introduce Vulnerable Code Changes? A Case Study

Submitted by msquire on Tue, 2014-04-29 09:59
TitleWhen Are OSS Developers More Likely to Introduce Vulnerable Code Changes? A Case Study
Publication TypeBook Chapter
Year of Publication2014
AuthorsBosu, A, Carver, JC, Hafiz, M, Hilley, P, Janni, D
Secondary AuthorsCorral, L, Sillitti, A, Succi, G, Vlasenko, J, Wasserman, AI
Secondary TitleOpen Source Software: Mobile Open Source Technologies
Series TitleIFIP Advances in Information and Communication Technology
Volume427
Pagination234-236
PublisherSpringer Berlin Heidelberg
ISBN Number978-3-642-55127-7
KeywordsFOSS, open source, OSS, security, vulnerability
Abstract

We analyzed peer code review data of the Android Open Source Project (AOSP) to understand whether code changes that introduce security vulnerabilities, referred to as vulnerable code changes (VCC), occur at certain intervals. Using a systematic manual analysis process, we identified 60 VCCs. Our results suggest that AOSP developers were more likely to write VCCs prior to AOSP releases, while during the post-release period they wrote fewer VCCs.
URLhttp://dx.doi.org/10.1007/978-3-642-55128-4_37
DOI10.1007/978-3-642-55128-4_37
Full Text
Taxonomy upgrade extras: 
open source
oss
FOSS
security
vulnerability