Abstract
We analyzed peer code review data of the Android Open Source Project (AOSP) to understand whether code changes that introduce security vulnerabilities, referred to as vulnerable code changes (VCC), occur at certain intervals. Using a systematic manual analysis process, we identified 60 VCCs. Our results suggest that AOSP developers were more likely to write VCCs prior to AOSP releases, while during the post-release period they wrote fewer VCCs.
Chapter PDF
Similar content being viewed by others
References
Meneely, A., Williams, L.: Secure open source collaboration: an empirical study of linus’ law. In: Proc. 16th ACM Conf. on Comp. and Comm. Security, pp. 453–462 (2009)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proc. 14th ACM Conf. Comp. and Comm. Security, pp. 529–540 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bosu, A., Carver, J.C., Hafiz, M., Hilley, P., Janni, D. (2014). When Are OSS Developers More Likely to Introduce Vulnerable Code Changes? A Case Study. In: Corral, L., Sillitti, A., Succi, G., Vlasenko, J., Wasserman, A.I. (eds) Open Source Software: Mobile Open Source Technologies. OSS 2014. IFIP Advances in Information and Communication Technology, vol 427. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55128-4_37
Download citation
DOI: https://doi.org/10.1007/978-3-642-55128-4_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55127-7
Online ISBN: 978-3-642-55128-4
eBook Packages: Computer ScienceComputer Science (R0)