Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks.
Saved in:
| Title: | Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks. |
|---|---|
| Authors: | Massacci, Fabio1 fabio.massacci@ieee.org, Pashchenko, Ivan2 ivan.pashchenko@unitn.it |
| Source: | ICSE: International Conference on Software Engineering. 5/22/2021, p1386-1397. 12p. |
| Subjects: | Software ecosystems, Open source software, Software libraries (Computer programming), Software engineering, Artificial intelligence |
| Abstract: | In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities. We aim to understand the level of technical leverage in the FOSS ecosystem and whether it can be a potential source of security vulnerabilities. Also, we introduce two metrics change distance and change direction to capture the amount and the evolution of the dependency on third-party libraries. The application of the proposed metrics on 8494 distinct library versions from the FOSS Maven-based Java libraries shows that small and medium libraries (less than 100KLoC) have disproportionately more leverage on FOSS dependencies in comparison to large libraries. We show that leverage pays off as leveraged libraries only add a 4% delay in the time interval between library releases while providing four times more code than their own. However, libraries with such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds of being vulnerable in comparison to the libraries with lower leverage. We provide an online demo for computing the proposed metrics for real-world software libraries available under the following URL: https://techleverage.eu/. [ABSTRACT FROM AUTHOR] |
| Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
| FullText | Links: – Type: pdflink Text: Availability: 0 |
|---|---|
| Header | DbId: egs DbLabel: Engineering Source An: 155538780 AccessLevel: 6 PubType: Conference PubTypeId: conference PreciseRelevancyScore: 0 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks. – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Massacci%2C+Fabio%22">Massacci, Fabio</searchLink><relatesTo>1</relatesTo><i> fabio.massacci@ieee.org</i><br /><searchLink fieldCode="AR" term="%22Pashchenko%2C+Ivan%22">Pashchenko, Ivan</searchLink><relatesTo>2</relatesTo><i> ivan.pashchenko@unitn.it</i> – Name: TitleSource Label: Source Group: Src Data: <searchLink fieldCode="JN" term="%22ICSE%3A+International+Conference+on+Software+Engineering%22">ICSE: International Conference on Software Engineering</searchLink>. 5/22/2021, p1386-1397. 12p. – Name: Subject Label: Subjects Group: Su Data: <searchLink fieldCode="DE" term="%22Software+ecosystems%22">Software ecosystems</searchLink><br /><searchLink fieldCode="DE" term="%22Open+source+software%22">Open source software</searchLink><br /><searchLink fieldCode="DE" term="%22Software+libraries+%28Computer+programming%29%22">Software libraries (Computer programming)</searchLink><br /><searchLink fieldCode="DE" term="%22Software+engineering%22">Software engineering</searchLink><br /><searchLink fieldCode="DE" term="%22Artificial+intelligence%22">Artificial intelligence</searchLink> – Name: Abstract Label: Abstract Group: Ab Data: In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities. We aim to understand the level of technical leverage in the FOSS ecosystem and whether it can be a potential source of security vulnerabilities. Also, we introduce two metrics change distance and change direction to capture the amount and the evolution of the dependency on third-party libraries. The application of the proposed metrics on 8494 distinct library versions from the FOSS Maven-based Java libraries shows that small and medium libraries (less than 100KLoC) have disproportionately more leverage on FOSS dependencies in comparison to large libraries. We show that leverage pays off as leveraged libraries only add a 4% delay in the time interval between library releases while providing four times more code than their own. However, libraries with such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds of being vulnerable in comparison to the libraries with lower leverage. We provide an online demo for computing the proposed metrics for real-world software libraries available under the following URL: https://techleverage.eu/. [ABSTRACT FROM AUTHOR] – Name: AbstractSuppliedCopyright Label: Group: Ab Data: <i>Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.) |
| PLink | https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=155538780 |
| RecordInfo | BibRecord: BibEntity: Identifiers: – Type: doi Value: 10.1109/ICSE43902.2021.00125 Languages: – Code: eng Text: English PhysicalDescription: Pagination: PageCount: 12 StartPage: 1386 Subjects: – SubjectFull: Software ecosystems Type: general – SubjectFull: Open source software Type: general – SubjectFull: Software libraries (Computer programming) Type: general – SubjectFull: Software engineering Type: general – SubjectFull: Artificial intelligence Type: general Titles: – TitleFull: Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks. Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Massacci, Fabio – PersonEntity: Name: NameFull: Pashchenko, Ivan IsPartOfRelationships: – BibEntity: Dates: – D: 22 M: 05 Text: 5/22/2021 Type: published Y: 2021 Titles: – TitleFull: ICSE: International Conference on Software Engineering Type: main |
| ResultId | 1 |