More Web Proxy on the site http://driver.im/

research-article

A Qualitative Study of Dependency Management and Its Security Implications

Authors:

Ivan Pashchenko,

Fabio MassacciAuthors Info & Claims

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Pages 1513 - 1531

https://doi.org/10.1145/3372297.3417232

Published: 02 November 2020 Publication History

Abstract

Several large scale studies on the Maven, NPM, and Android ecosystems point out that many developers do not often update their vulnerable software libraries thus exposing the user of their code to security risks. The purpose of this study is to qualitatively investigate the choices and the interplay of functional and security concerns on the developers' overall decision-making strategies for selecting, managing, and updating software dependencies.

We run 25 semi-structured interviews with developers of both large and small-medium enterprises located in nine countries. All interviews were transcribed, coded, and analyzed according to applied thematic analysis. They highlight the trade-offs that developers are facing and that security researchers must understand to provide effective support to mitigate vulnerabilities (for example bundling security fixes with functional changes might hinder adoption due to lack of resources to fix functional breaking changes).

We further distill our observations to actionable implications on what algorithms and automated tools should achieve to effectively support (semi-)automatic dependency management.

Supplementary Material

MOV File (Copy of CSS2020_fp043_ A Qualitative Study - Nano Zii.mov)

Presentation video

Download
121.52 MB

References

[1]

B. Adams. 2018. Developers of popular software projects are overloaded by the requests from academic researchers. (2018). Suggested during a personal communication with the authors at ESEM'2018.

[2]

Sultan S Alqahtani, Ellis E Eghan, and Juergen Rilling. 2016. Tracing known security vulnerabilities in software repositories--A Semantic Web enabled modeling approach. Sci. Comp. Program., Vol. 121 (2016), 153--175.

Digital Library

[3]

Hala Assal and Sonia Chiasson. 2019. 'Think secure from the beginning' A Survey with Software Developers. In Proc. of CHI'19. 1--13.

[4]

Earl T Barr, Christian Bird, Peter C Rigby, Abram Hindle, Daniel M German, and Premkumar Devanbu. 2012. Cohesive and isolated development with branches. In Proc. of ICFASE'12. Springer, 316--331.

Digital Library

[5]

Andrew Begel, Yit Phang Khoo, and Thomas Zimmermann. 2010. Codebook: discovering and exploiting relationships in software repositories. In Proc. of ICSE'10, Vol. 1. IEEE, 125--134.

Digital Library

[6]

Christopher Bogart, Christian K"astner, and James Herbsleb. 2015. When it breaks, it breaks: How ecosystem developers reason about the stability of dependencies. In Proc. of ASEW'15. IEEE, 86--89.

Digital Library

[7]

Christopher Bogart, Christian Kastner, James Herbsleb, and Ferdian Thung. 2016. How to break an API: cost negotiation and community values in three software ecosystems. In Proc. of FSE'16. ACM, 109--120.

Digital Library

[8]

Mircea Cadariu, Eric Bouwers, Joost Visser, and Arie van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In Proc. of SANER'15. IEEE, 516--519.

[9]

Joël Cox, Eric Bouwers, Marko van Eekelen, and Joost Visser. 2015. Measuring Dependency Freshness in Software Systems. In Proc. of ICSE'15 (ICSE '15). IEEE Press, Piscataway, NJ, USA, 109--118. http://dl.acm.org/citation.cfm?id=2819009.2819027

[10]

Cleidson de Souza and David Redmiles. 2008. An empirical study of software developers' management of dependencies and changes. In Proc. of ICSE'08. IEEE, 241--250.

Digital Library

[11]

Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar, and Michael Backes. 2017. Keep me updated: An empirical study of third-party library updatability on Android. In Proc. of CCS'17. ACM, 2187--2200.

Digital Library

[12]

Leo A Goodman. 1961. Snowball sampling. AOMS (1961), 148--170.

[13]

Robert Wayne Gregory, Mark Keil, Jan Muntermann, and Magnus M"ahring. 2015. Paradoxes and the nature of ambidexterity in IT transformation programs. ISR, Vol. 26, 1 (2015), 57--80.

Digital Library

[14]

Greg Guest, Kathleen M MacQueen, and Emily E Namey. 2011. Applied thematic analysis .Sage.

[15]

Sarra Habchi, Xavier Blanc, and Romain Rouvoy. 2018. On adopting linters to deal with performance concerns in android apps. In Proc. of ASE'18, Vol. 11. ACM Press.

Digital Library

[16]

Nicole Haenni, Mircea Lungu, Niko Schwarz, and Oscar Nierstrasz. 2013. Categorizing developer information needs in software ecosystems. In Proc. of WEA'13. ACM, 1--5.

Digital Library

[17]

Mohanad Halaweh. 2012. Using grounded theory as a method for system requirements analysis. JISTEM, Vol. 9, 1 (2012), 23--38.

[18]

Regina Hebig and Jesper Derehag. 2017. The changing balance of technology and process: A case study on a combined setting of model-driven development and classical C coding. Journal of Software: Evolution and Process, Vol. 29, 11 (2017), e1863.

[19]

JI Hejderup. 2015. In dependencies we trust: How vulnerable are dependencies in software modules? (2015).

[20]

J. Huang, N. Borges, S. Bugiel, and M. Backes. 2019. Up-To-Crash: Evaluating Third-Party Library Updatability on Android. In Proc. of EuroS&P'19. 15--30.

[21]

Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge. 2013. Why don't software developers use static analysis tools to find bugs?. In Proc. of ICSE'13. IEEE Press, 672--681.

[22]

Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure and evolution of package dependency networks. In Proc. of MSR'17. IEEE, 102--112.

Digital Library

[23]

Andrew J Ko, Robert DeLine, and Gina Venolia. 2007. Information needs in collocated software development teams. In Proc. of ICSE'07. IEEE Press, 344--353.

Digital Library

[24]

Paul R Kroeger. 2005. Analyzing grammar: An introduction .Cambridge University Press.

[25]

Raula Gaikovina Kula, Daniel M. German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2017. Do developers update their library dependencies? Emp. Soft. Eng. Journ. (11 May 2017). https://doi.org/10.1007/s10664-017--9521--5

[26]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In Proc. of NDSS'17 .

[27]

Lucas Layman, Madeline Diep, Meiyappan Nagappan, Janice Singer, Robert Deline, and Gina Venolia. 2013. Debugging revisited: Toward understanding the debugging needs of contemporary software developers. In Proc. of ESEM'13. IEEE, 383--392.

[28]

SS Jeremy Long. 2015. Owasp dependency check.

[29]

Wanwangying Ma, Lin Chen, Xiangyu Zhang, Yuming Zhou, and Baowen Xu. 2017. How do developers fix cross-project correlated bugs? A case study on the GitHub scientific Python ecosystem. In Proc. of ICSE'17. IEEE, 381--392.

Digital Library

[30]

Mark Mason. 2010. Sample size and saturation in PhD studies using qualitative interviews. In Forum qualitative Sozialforschung/Forum: qualitative social research, Vol. 11.

[31]

Samim Mirhosseini and Chris Parnin. 2017. Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In Proc. of ASE'17. IEEE Press, 84--94.

[32]

Amantia Pano, Daniel Graziotin, and Pekka Abrahamsson. 2018. Factors and actors leading to the adoption of a JavaScript framework. Empirical Software Engineering (2018), 1--32.

[33]

Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2018. Vulnerable Open Source Dependencies: Counting Those That Matter. In Proc. of ESEM'18 .

Digital Library

[34]

Shaun Phillips, Guenther Ruhe, and Jonathan Sillito. 2012. Information needs for integration decisions in the release process of large-scale parallel development. In Proc. of CSCW'12. ACM, 1371--1380.

Digital Library

[35]

Henrik Plate, Serena Elisa Ponta, and Antonino Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In Proc. of ICSME'15. IEEE, 411--420.

Digital Library

[36]

Serena Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2018. Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software. In Proc. of ICSME'18 .

[37]

Johnny Salda na. 2015. The coding manual for qualitative researchers .Sage.

[38]

Khaironi Y Sharif, Michael English, Nour Ali, Chris Exton, JJ Collins, and Jim Buckley. 2015. An empirically-based characterization and quantification of information seeking through mailing lists during open source developers? software evolution. Information and Software Technology, Vol. 57 (2015), 77--94.

[39]

Jonathan Sillito, Gail C Murphy, and Kris De Volder. 2008. Asking and answering questions during a programming change task. IEEE Transactions on Software Engineering, Vol. 34, 4 (2008), 434--451.

Digital Library

[40]

Anselm Strauss and Juliet Corbin. 1990. Basics of qualitative research .Sage.

[41]

Hataichanok Unphon and Yvonne Dittrich. 2010. Software architecture awareness in long-term software product evolution. Journal of Systems and Software, Vol. 83, 11 (2010), 2211--2226.

Digital Library

[42]

Dirk van der Linden, Mark Levine, and John Towse. 2020. Schrödinger's Security: Opening the Box on App Developers? Security Rationale. In Proc. of ICSE'20. IEEE.

[43]

Carmine Vassallo, Sebastiano Panichella, Fabio Palomba, Sebastian Proksch, Andy Zaidman, and Harald C Gall. 2018. Context is king: The developer perspective on the usage of static analysis tools. In Proc. of SANER'18. IEEE, 38--49.

[44]

Erik Wittern, Philippe Suter, and Shriram Rajagopalan. 2016. A look at the dynamics of the JavaScript package ecosystem. In Proc. of MSR'16. IEEE, 351--361.

Digital Library

[45]

Aiko Yamashita and Leon Moonen. 2012. Do code smells reflect important maintainability aspects?. In Proc. of ICSME'12. IEEE, 306--315.

Digital Library

[46]

Robert K Yin. 2015. Qualitative research from start to finish. Guilford Publications.

Cited By

Mutiara PPutri K(2024)The Study of Uses and Gratification Theory of TikTok as A Shopping Platform Seen from Buyers’ ViewJournal of Digital Marketing and Communication10.53623/jdmc.v4i1.4294:1(7-18)Online publication date: 20-May-2024
https://doi.org/10.53623/jdmc.v4i1.429
Dietrich JWhite TAbdollahpour MWen EHassanshahi BTorres-Arias SDe Carli LZhang Y(2024)BinEq - A Benchmark of Compiled Java Programs to Assess Alternative BuildsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696162(15-25)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696162
Sammak RRotthaler ARamulu HWermke DAcar YTorres-Arias SDe Carli LZhang Y(2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696160
Show More Cited By

Index Terms

A Qualitative Study of Dependency Management and Its Security Implications
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Systems security
    1. Vulnerability management
2. Software and its engineering
  1. Software creation and management

Recommendations

Preliminary findings on FOSS dependencies and security: a qualitative study on developers' attitudes and experience
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings

Developers are known to keep third-party dependencies of their projects outdated even if some of them are affected by known vulnerabilities. In this study we aim to understand why they do so. For this, we conducted 25 semi-structured interviews with ...
A qualitative study on performance bugs
MSR '12: Proceedings of the 9th IEEE Working Conference on Mining Software Repositories

Software performance is one of the important qualities that makes software stand out in a competitive market. However, in earlier work we found that performance bugs take more time to fix, need to be fixed by more experienced developers and require ...
Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

October 2020

2180 pages

ISBN:9781450370899

DOI:10.1145/3372297

General Chairs:
Jay Ligatti
University of South Florida, USA
,
Xinming Ou
University of South Florida, USA
,
Program Chairs:
Jonathan Katz
University of Maryland, USA
,
Giovanni Vigna
University of California-Santa Barbara, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Horizon 2020

Conference

CCS '20

Sponsor:

SIGSAC

CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security

November 9 - 13, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

46
Total Citations
View Citations
1,422
Total Downloads

Downloads (Last 12 months)372
Downloads (Last 6 weeks)55

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mutiara PPutri K(2024)The Study of Uses and Gratification Theory of TikTok as A Shopping Platform Seen from Buyers’ ViewJournal of Digital Marketing and Communication10.53623/jdmc.v4i1.4294:1(7-18)Online publication date: 20-May-2024
https://doi.org/10.53623/jdmc.v4i1.429
Dietrich JWhite TAbdollahpour MWen EHassanshahi BTorres-Arias SDe Carli LZhang Y(2024)BinEq - A Benchmark of Compiled Java Programs to Assess Alternative BuildsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696162(15-25)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696162
Sammak RRotthaler ARamulu HWermke DAcar YTorres-Arias SDe Carli LZhang Y(2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696160
Weeraddana NAlfadel MMcIntosh S(2024)Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm EcosystemProceedings of the ACM on Software Engineering10.1145/36608231:FSE(2632-2655)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660823
Na YWoo SLee JLee HRoychoudhury APaiva AAbreu RStorey M(2024)CNEPS: A Precise Approach for Examining Dependencies among Third-Party C/C++ Open-Source ComponentsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639209(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639209
Schorlemmer TKalu KChigges LKo KIshgair EBagchi STorres-Arias SDavis J(2024)Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00215(1160-1178)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00215
Abdollahpour MDietrich JLam P(2024)Enhancing Security through Modularization: A Counterfactual Analysis of Vulnerability Propagation and Detection Precision2024 IEEE International Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM63643.2024.00019(94-105)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SCAM63643.2024.00019
Reyes FGamage YSkoglund GBaudry BMonperrus M(2024)BUMP: A Benchmark of Reproducible Breaking Dependency Updates2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00024(159-170)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00024
Anastasia TStamatia B(2024)Managing Security Vulnerabilities Introduced by Dependencies in React.JS JavaScript Framework2024 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)10.1109/SANER-C62648.2024.00022(126-133)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER-C62648.2024.00022
Dang TLê L(2024)Understanding Software Behaviors via API Usage Visualization2024 18th International Conference on Advanced Computing and Analytics (ACOMPA)10.1109/ACOMPA64883.2024.00024(115-122)Online publication date: 27-Nov-2024
https://doi.org/10.1109/ACOMPA64883.2024.00024
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents