Organizational Influence on Security Development in Open-Source Software Projects
Pages 1 - 20
Abstract
Increasing technological complexity, intensified competition, and security requirements have driven open-source software (OSS) projects to become a crucial part of organizations' software development. This study focuses on the OSS project TensorFlow (TF) and uses a case study to examine how organizations and their associated developers collaborate to identify, fix and prevent security vulnerabilities. Social Network Analysis (SNA) of archived security data from software repositories is used to gain insight into security activities. The study examines the internal structure and evolution of security code collaboration, organizational networks, and top organizational contributors to TF. It also examines productivity, homophily, development diversity, and turnover rates among developers across various software releases. The in-depth insights from this research enhance our understanding of collaborative patterns in OSS communities within open software ecosystems, particularly in the security context.
References
[1]
AbadiM., et. al. (2016). TensorFlow: A System for Large-Scale Machine Learning. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 265–283.
[2]
Abufouda, M., & Abukwaik, H. (2017). On using network science in mining developers collaboration in software engineering: A systematic literature review . International Journal of Data Mining & Knowledge Management Process, 7(5/6), 1–20.
[3]
Alfadel, M., Costa, D. E., & Shihab, E. (2023). Empirical analysis of security vulnerabilities in Python packages. Empirical Software Engineering, 28(3), 59.
[4]
Barabási, A.-L., & Albert, R. (1999). Emergence of scaling in random networks. Science, 286(5439), 509–512. 10521342.
[5]
Barbosa, O., & Alves, C. (2011). A systematic mapping study on software ecosystems. Citeseer.
[6]
Basili, V. R., Shull, F., & Lanubile, F. (1999). Building knowledge through families of experiments. IEEE Transactions on Software Engineering, 25(4), 456–473.
[7]
Behfar, S. K., Turkina, E., & Burger-Helmchen, T. (2018). Knowledge management in OSS communities: Relationship between dense and sparse network structures. International Journal of Information Management, 38(1), 167–174.
[8]
Bengtsson, M., & Kock, S. (2000). ‘Coopetition ’ in business networks—To cooperate and compete simultaneously. Industrial Marketing Management, 29(5), 411–426.
[9]
Bird, C., Nagappan, N., Gall, H., Murphy, B., & Devanbu, P. (2009). Putting it all together: Using socio-technical networks to predict failures. In Proceedings of the 20th International Symposium on Software Reliability Engineering, 109–119. IEEE Computer Society. 10.1109/ISSRE.2009.17
[10]
Blondel, V. D., Guillaume, J.-L., Lambiotte, R., & Lefebvre, E. (2008). Fast unfolding of communities in large networks. Journal of Statistical Mechanics, 2008(10), P10008. Advance online publication.
[11]
Burt, R. S. (2009). Structural holes: The social structure of competition. Harvard University Press.
[12]
Çaglayan, B., & Bener, A. B. (2016). Effect of developer collaboration activity on software quality in two large scale projects. Journal of Systems and Software, 118, 288–296.
[13]
Capiluppi, A., Stol, K.-J., & Boldyreff, C. (2012). Exploring the role of commercial stakeholders in open source software evolution. In Hammouda, I. (Ed.), Open source systems long-term sustainability (pp. 178–200). Springer.
[14]
Christensen, K. K., & Liebetrau, T. (2019). A new role for “the public”? Exploring cyber security controversies in the case of WannaCry. Intelligence and National Security, 34(3), 395–408.
[15]
Concas, G., Marchesi, M., Monni, C., Orrù, M., & Tonelli, R. (2017). Software quality and community structure in java software networks. International Journal of Software Engineering and Knowledge Engineering, 27(07), 1063–1096.
[16]
Cosentino, V., Izquierdo, J. L. C., & Cabot, J. (2017). A systematic mapping study of software development with GitHub. IEEE Access : Practical Innovations, Open Solutions, 5, 7173–7192.
[17]
Crowston, K., Wei, K., Howison, J., & Wiggins, A. (2012). Free/Libre open-source software development. ACM Computing Surveys, 44(2), 1–35.
[18]
Decan, A., Mens, T., & Grosjean, P. (2019). An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empirical Software Engineering, 24(1), 381–416.
[19]
Delicheh, H. O., Decan, A., & Mens, T. (2024). Quantifying security issues in reusable JavaScript actions in GitHub workflows. In Proceedings of the IEEE/ACM 21st International Conference on Mining Software Repositories (MSR) (pp. 692–703). https://ieeexplore.ieee.org/document/10555637
[20]
DinghoferK.HartungF. (2020). Analysis of criteria for the selection of machine learning frameworks. In Proceedings of the 2020 International Conference on Computing, Networking and Communications (ICNC) (pp. 373–377). IEEE. 10.1109/ICNC47757.2020.9049650
[21]
DongY.GuoW.ChenY.XingX.ZhangY.WangG. (2019). Towards the detection of inconsistencies in public security vulnerability reports. USENIX Security Symposium, 869–885.
[22]
DurumericZ.LiF.KastenJ.AmannJ.BeekmanJ.PayerM.WeaverN.AdrianD.PaxsonV.BaileyM.HaldermanJ. A. (2014). The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). ACM. 10.1145/2663716.2663755
[23]
El Mezouar, M., Zhang, F., & Zou, Y. (2019). An empirical study on the teams structures in social coding using GitHub projects. Empirical Software Engineering, 24(6), 3790–3823.
[24]
Fischbach, K., Gloor, P. A., & Schoder, D. (2009). Analysis of informal communication networks–a case study. Business & Information Systems Engineering, 1(2), 140–149.
[25]
Gerber, A., Molefe, O., & van der Merwe, A. (2010). Documenting open source migration processes for re-use. ACM. https://dl.acm.org/ft_gateway.cfm?id=1899512&type=pdf
[26]
Ghafele, R., & Gibert, B. (2014). Open growth. International Journal of Open Source Software and Processes, 5(1), 16–49.
[27]
Gharehyazie, M., Posnett, D., Vasilescu, B., & Filkov, V. (2015). Developer initiation and social interactions in OSS: A case study of the Apache Software Foundation. Empirical Software Engineering, 20(5), 1318–1353.
[28]
Granovetter, M. S. (1973). The strength of weak ties. American Journal of Sociology, 78(6), 1360–1380.
[29]
Grewal, R., Lilien, G., & Mallapragada, G. (2006). Location, Location, location: How Network Embeddedness affects project success in open source systems. Management Science, 52(7), 1043–1056.
[30]
Guendouz, M., Amine, A., & Hamou, R. M. (2015). Recommending relevant open source projects on GitHub using a collaborative-filtering technique. International Journal of Open Source Software and Processes, 6(1), 1–16.
[31]
Han, J., Shihab, E., Wan, Z., Deng, S., & Xia, X. (2020). What do programmers discuss about deep learning frameworks. Empirical Software Engineering, 25(4), 2694–2747.
[32]
Herbold, S., Amirfallah, A., Trautsch, F., & Grabowski, J. (2021). A systematic mapping study of developer social network research. Journal of Systems and Software, 171, 110802.
[33]
Herbsleb, J. D., & Mockus, A. (2003). An Empirical study of speed and communication in globally distributed software development. IEEE Transactions on Software Engineering, 29(06), 481–494.
[34]
Hinds, D., & Lee, R. M. (2009). Communication network characteristics of open source communities. International Journal of Open Source Software and Processes, 1(4), 26–48.
[35]
Howison, J., Inoue, K., & Crowston, K. (2006). Social dynamics of free and open source team communications. International Federation for Information Processing Digital Library . Open Source Systems, 203, 319–330.
[36]
Howison, J., Wiggins, A., & Crowston, K. (2011). Validity issues in the use of social network analysis with digital trace data. Journal of the Association for Information Systems, 12(12), 2.
[37]
Jabangwe, R., Kuusinen, K., Riisom, K. R., Hubel, M. S., Alradhi, H. M., & Nielsen, N. B. (2018). Challenges and solutions for addressing software security in agile software development: A literature review and rigor and relevance assessment. [IJSSSP]. International Journal of Systems and Software Security and Protection, 9(1), 1–17.
[38]
JeongG.KimS.ZimmermannT. (2009). Improving bug triage with bug tossing graphs. In Proceedings of the 7th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering (pp. 111–120). ACM. 10.1145/1595696.1595715
[39]
Jermakovics, A., Sillitti, A., & Succi, G. (2013). Exploring collaboration networks in open-source projects. In Petrinja, E., Succi, G., El Ioini, N., & Sillitti, A. (Eds.), Open source software: Quality verification (pp. 97–108). Springer.
[40]
Jiang, Q., Lee, Y. C., Davis, J. G., & Zomaya, A. Y. (2018). Diversity, productivity, and growth of open source developer communities. CoRR 2018, abs/1809.03725.
[41]
Joblin, M., Apel, S., Hunsen, C., & Mauerer, W. (2017a). Classifying developers into core and peripheral: An empirical study on count and network metrics. Proceedings of ICSE, 2017, 164–174.
[42]
Joblin, M., Apel, S., & Mauerer, W. (2017b). Evolutionary trends of developer coordination: A network approach. Empirical Software Engineering, 22(4), 2050–2094.
[43]
Kappelhoff, P. (1987). Cliquenanalyse. Die Bestimmung von intern verbundenen Teilgruppen in Netzwerken. In Pappi, F. U. (Ed.), Techniken Der Empirischen Sozialforschung–Methoden Der Netzwerkanalyse (pp. 39–63). Pieper.
[44]
Lee, C., & Cunningham, P. (2013). Community detection: Effective evaluation on large social networks. Journal of Complex Networks, 2(1), cnt012.
[45]
Manikas, K., & Hansen, K. M. (2013). Software ecosystems–A systematic literature review. Journal of Systems and Software, 86(5), 1294–1306.
[46]
McClean, K., Greer, D., & Jurek-Loughrey, A. (2021). Social network analysis of open source software: A review and categorisation. Information and Software Technology, 130, 106442.
[47]
MeneelyA.TejedaA. C. R.SpatesB.TrudeauS.NeubergerD.WhitlockK.KetantC.DavisK. (2014). An empirical investigation of socio-technical code review metrics and security vulnerabilities. In LanubileF. (Ed.), Proceedings of the 6th International Workshop on Social Software Engineering (pp. 37–44). ACM. 10.1145/2661685.2661687
[48]
MeneelyA.WilliamsL. (2009). Secure open source collaboration. In Al-ShaerE.JhaS.KeromytisA. D. (Eds.), Proceedings of the 16th ACM conference on Computer and communications security (p. 453). ACM.
[49]
MeneelyA.WilliamsL. (2010). Strengthening the empirical analysis of the relationship between Linus’ Law and software security. In SucciG. (Ed.), Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement (p. 1). ACM. 10.1145/1852786.1852798
[50]
MeneelyA.WilliamsL.SnipesW.OsborneJ. (2008). Predicting failures with developer networks and social network analysis. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering (pp. 13–23). ACM. 10.1145/1453101.1453106
[51]
Morgan, L., & Finnegan, P. (2014). Beyond free software: An exploration of the business value of strategic open source. The Journal of Strategic Information Systems, 23(3), 226–238.
[52]
Nguyen Duc, A., Cruzes, D. S., Hanssen, G. K., Snarby, T., & Abrahamsson, P. (2017). Coopetition of software firms in open source software ecosystems. In Ojala, A., & Olsson, H. H. (Eds.), Software business (pp. 146–160). Springer.
[53]
Oliveira, E., Conte, T., Cristo, M., & Valentim, N. (2018). Influence factors in software productivity—A tertiary literature review. International Journal of Software Engineering and Knowledge Engineering, 28(11n12), 1795–1810.
[54]
Oliveira, G. P., Moura, A. F. C., Batista, N. A., Brandão, M. A., Hora, A., & Moro, M. M. (2023). How do developers collaborate? Investigating GitHub heterogeneous networks. Software Quality Journal, 31(1), 211–241.
[55]
Ouriques, R. A. B., Wnuk, K., Gorschek, T., & Svensson, R. B. (2019). Knowledge management strategies and processes in agile software development: A systematic literature review. International Journal of Software Engineering and Knowledge Engineering, 29(03), 345–380.
[56]
Peng, J., Zhang, G., & Chiu, C.-H. (2022). An empirical investigation on vulnerability for software companies. International Journal of Systems and Software Security and Protection, 13(1), 1–15.
[57]
Rashid, E., & Prakash, M. (2022). An empirical analysis of inferences from commit, fork, and branch rates of top GitHub projects. International Journal of Open Source Software and Processes, 13(1), 1–16.
[58]
Runeson, P. (2012). Case study research in software engineering: Guidelines and examples (1st ed.). Wiley., https://onlinelibrary.wiley.com/doi/book/10.1002/9781118181034
[59]
Sarker, S., Ahuja, M., Sarker, S., & Kirkeby, S. (2011). The role of communication and trust in global virtual teams: A social network perspective. Journal of Management Information Systems, 28(1), 273–309.
[60]
Schenk, M. (1995). Soziale Netzwerke und Massenmedien: Untersuchungen zum Einfluss der persönlichen Kommunikation. Mohr Siebeck.
[61]
Schreiber, R. R. (2023). Organizational influencers in open-source software projects. International Journal of Open Source Software and Processes, 14(1), 1–20.
[62]
Schreiber, R. R., & Zylka, M. P. (2020). Social network analysis in software development projects: A systematic literature review. International Journal of Software Engineering and Knowledge Engineering, 30(03), 321–362.
[63]
Scott, J. (2013). Social network analysis (3rd ed.). SAGE.
[64]
Shah, S. K. (2006). Motivation, governance, and the viability of hybrid forms in open source software development. Management Science, 52(7), 1000–1014.
[65]
Shin, Y., Meneely, A., Williams, L., & Osborne, J. A. (2011). Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Transactions on Software Engineering, 37(6), 772–787.
[66]
Singh, P. V., Tan, Y., & Mookerjee, V. (2011). Network effects: The influence of structural capital on open source project success. Management Information Systems Quarterly, 35(4), 813–829.
[67]
Šmite, D., Moe, N. B., Šāblis, A., & Wohlin, C. (2017). Software teams and their knowledge networks in large-scale software development. Information and Software Technology, 86, 71–86.
[68]
SquireM. (2014). Forge++: The changing landscape of FLOSS development. In Proceedings of the Annual Hawaii International Conference on System Sciences (pp. 3266-3275). 10.1109/HICSS.2014.405
[69]
SurekaA.GoyalA.RastogiA. (2011). Using social network analysis for mining collaboration data in a defect tracking system for risk and vulnerability analysis. In Proceedings of the 4th India Software Engineering Conference (ISEC) (pp. 195–204). ACM. 10.1145/1953355.1953381
[70]
TahaeiM.VanieaK. (2019). A Survey on developer-centred security. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 129–138). IEEE. 10.1109/EuroSPW.2019.00021
[71]
Tensorflow. (2024). Why Tensorflow—Case studies. https://www.tensorflow.org/about/case-studies
[72]
TrabelsiS.PlateH.AbidaA.AounM. M. B.ZouaouiA.MissaouiC.GharbiS.AyariA. (2015). Mining social networks for software vulnerabilities monitoring. In Proceedings of the 7th International Conference on New Technologies, Mobility and Security (NTMS) (pp. 1–7). IEEE. 10.1109/NTMS.2015.7266506
[73]
Uzzi, B. (1997). Social structure and competition in interfirm networks: The paradox of embeddedness. Administrative Science Quarterly, 42(1), 37–69.
[74]
WangS.NagappanN. (2021). Characterizing and understanding software developer networks in security development. In Proceedings of the IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE) (pp. 534–545). 10.1109/ISSRE52982.2021.00061
[75]
Wasserman, S., & Faust, K. (1994). Social network analysis: Methods and applications. Cambridge University Press.
[76]
Wohlin, C. (2012). Experimentation in software engineering. Springer.
[77]
WolfT.SchroterA.DamianD.NguyenT. (2009). Predicting build failures using social network analysis on developer communication. In Proceedings of the IEEE 31st International Conference on Software Engineering (pp. 1–11). IEEE. 10.1109/ICSE.2009.5070503
[78]
WuS.SongW.HuangK.ChenB.PengX. (2024). Identifying affected libraries and their ecosystems for open source software vulnerabilities. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering (pp. 1–12). 10.1145/3597503.3639582
[79]
Yin, R. K. (2014). Case study research: Design and methods (5th ed.). Sage.
[80]
Yu, Y., Wang, H., Yin, G., & Wang, T. (2016). Reviewer recommendation for pull-requests in GitHub: What can we learn from code review and bug assignment? Information and Software Technology, 74, 204–218.
[81]
Zafar, H. (2022). Critical success factors for an effective security risk management program. [IJSSSP]. International Journal of Systems and Software Security and Protection, 13(1), 1–26.
[82]
Zhang, W., Nie, L., Jiang, H., Chen, Z., & Liu, J. (2014). Developer social networks in software engineering: Construction, analysis, and applications. Science China. Information Sciences, 57(12), 1–23.
[83]
Zhao, Y., Liang, R., Chen, X., & Zou, J. (2021). Evaluation indicators for open-source software: A review. Cybersecurity, 4(1), 20.
[84]
ZhouM.ChenQ.MockusA.WuF. (2017). On the scalability of Linux kernel maintainers’ work. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (pp. 27–37). ACM. 10.1145/3106237.3106287
[85]
ZhouY.SharmaA. (2017). Automated identification of security issues from commit messages and bug reports. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (pp. 914–919). ACM. 10.1145/3106237.3117771
[86]
Zimmermann, M., Staicu, C.-A., Tenny, C., & Pradel, M. (2019). Small world with high risks: A study of security threats in the npm ecosystem. In Proceedings of the USENIX Security Symposium (pp. 17). USENIX security.
[87]
Zimmermann, T., Nagappan, N., & Williams, L. (2010). Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista. In Proceedings of the Third International Conference on Software Testing, Verification and Validation (pp. 421–428). IEEE.
Index Terms
- Organizational Influence on Security Development in Open-Source Software Projects
Index terms have been assigned to the content through auto-classification.
Recommendations
Organizational Influencers in Open-Source Software Projects
Traditional software development is shifting toward the open-source development model, particularly in the current environment of competitive challenges to develop software openly. The author employs a case study approach to investigate how ...
Impacts of License Choice and Organizational Sponsorship on User Interest and Development Activity in Open Source Software Projects
What differentiates successful from unsuccessful open source software projects? This paper develops and tests a model of the impacts of license restrictiveness and organizational sponsorship on two indicators of success: user interest in, and ...
Comparing practices for reuse in integration-oriented software product lines and large open source software projects
This article compares the organization and practices for software reuse in integration-oriented software product lines (SPLs) and open source software projects. The main observation is that both approaches are successful regarding large variability and ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2024.
Publisher
IGI Global
United States
Publication History
Published: 07 November 2024
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 07 Jan 2025