Technical leverage in a software ecosystem: Development opportunities and security risks

Fabio Massacci; Ivan Pashchenko

doi:10.1109/ICSE43902.2021.00125

Technical leverage in a software ecosystem: Development opportunities and security risks

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities. We aim to understand the level of technical leverage in the FOSS ecosystem and whether it can be a potential source of security vulnerabilities. Also, we introduce two metrics change distance and change direction to capture the amount and the evolution of the dependency on third-party libraries. The application of the proposed metrics on 8494 distinct library versions from the FOSS Maven-based Java libraries shows that small and medium libraries (less than 100KLoC) have disproportionately more leverage on FOSS dependencies in comparison to large libraries. We show that leverage pays off as leveraged libraries only add a 4% delay in the time interval between library releases while providing four times more code than their own. However, libraries with such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds of being vulnerable in comparison to the libraries with lower leverage. We provide an online demo for computing the proposed metrics for real-world software libraries available under the following URL: https://techleverage.eu/

Original language	English
Title of host publication	2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)
Subtitle of host publication	Proceedings
Publisher	IEEE Computer Society
Pages	1386-1397
Number of pages	12
ISBN (Electronic)	9780738113197
DOIs	https://doi.org/10.1109/ICSE43902.2021.00125
Publication status	Published - 7 May 2021
Event	43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021 - Virtual, Online, Spain Duration: 22 May 2021 → 30 May 2021

Publication series

Name	Proceedings - International Conference on Software Engineering
ISSN (Print)	0270-5257

Conference

Conference	43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021
Country/Territory	Spain
City	Virtual, Online
Period	22/05/21 → 30/05/21

Bibliographical note

Funding Information:
We would like to thank A.Brucker, G. Kuper and P.Tonella for their insightful comments on early drafts of this work. The graphical abstract for this paper is an artwork by Anna Formi-lan http://annaformilan.com. This work was partly funded by the European Union under the H2020 Programme under grant n. 952647 (AssureMOSS).

Publisher Copyright:
© 2021 IEEE.

Keywords

Dependencies
Empirical analysis
Free open source software
Leverage
Maven
Software security
Technical debt
Vulnerabilities

Access to Document

10.1109/ICSE43902.2021.00125

Handle.net

Persistent link

Cite this

Massacci, F., & Pashchenko, I. (2021). Technical leverage in a software ecosystem: Development opportunities and security risks. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE): Proceedings (pp. 1386-1397). (Proceedings - International Conference on Software Engineering). IEEE Computer Society. https://doi.org/10.1109/ICSE43902.2021.00125

@inproceedings{2c970b87c8ec4f82aa5c980a4dec99e1,

title = "Technical leverage in a software ecosystem: Development opportunities and security risks",

abstract = "In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities. We aim to understand the level of technical leverage in the FOSS ecosystem and whether it can be a potential source of security vulnerabilities. Also, we introduce two metrics change distance and change direction to capture the amount and the evolution of the dependency on third-party libraries. The application of the proposed metrics on 8494 distinct library versions from the FOSS Maven-based Java libraries shows that small and medium libraries (less than 100KLoC) have disproportionately more leverage on FOSS dependencies in comparison to large libraries. We show that leverage pays off as leveraged libraries only add a 4% delay in the time interval between library releases while providing four times more code than their own. However, libraries with such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds of being vulnerable in comparison to the libraries with lower leverage. We provide an online demo for computing the proposed metrics for real-world software libraries available under the following URL: https://techleverage.eu/ ",

keywords = "Dependencies, Empirical analysis, Free open source software, Leverage, Maven, Software security, Technical debt, Vulnerabilities",

author = "Fabio Massacci and Ivan Pashchenko",

note = "Funding Information: We would like to thank A.Brucker, G. Kuper and P.Tonella for their insightful comments on early drafts of this work. The graphical abstract for this paper is an artwork by Anna Formi-lan http://annaformilan.com. This work was partly funded by the European Union under the H2020 Programme under grant n. 952647 (AssureMOSS). Publisher Copyright: {\textcopyright} 2021 IEEE.; 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021 ; Conference date: 22-05-2021 Through 30-05-2021",

year = "2021",

month = may,

day = "7",

doi = "10.1109/ICSE43902.2021.00125",

language = "English",

series = "Proceedings - International Conference on Software Engineering",

publisher = "IEEE Computer Society",

pages = "1386--1397",

booktitle = "2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)",

address = "United States",

}

Massacci, F & Pashchenko, I 2021, Technical leverage in a software ecosystem: Development opportunities and security risks. in 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE): Proceedings. Proceedings - International Conference on Software Engineering, IEEE Computer Society, pp. 1386-1397, 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021, Virtual, Online, Spain, 22/05/21. https://doi.org/10.1109/ICSE43902.2021.00125

Technical leverage in a software ecosystem : Development opportunities and security risks. / Massacci, Fabio; Pashchenko, Ivan.

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE): Proceedings. IEEE Computer Society, 2021. p. 1386-1397 (Proceedings - International Conference on Software Engineering).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Technical leverage in a software ecosystem

T2 - 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021

AU - Massacci, Fabio

AU - Pashchenko, Ivan

N1 - Funding Information: We would like to thank A.Brucker, G. Kuper and P.Tonella for their insightful comments on early drafts of this work. The graphical abstract for this paper is an artwork by Anna Formi-lan http://annaformilan.com. This work was partly funded by the European Union under the H2020 Programme under grant n. 952647 (AssureMOSS). Publisher Copyright: © 2021 IEEE.

PY - 2021/5/7

Y1 - 2021/5/7

N2 - In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities. We aim to understand the level of technical leverage in the FOSS ecosystem and whether it can be a potential source of security vulnerabilities. Also, we introduce two metrics change distance and change direction to capture the amount and the evolution of the dependency on third-party libraries. The application of the proposed metrics on 8494 distinct library versions from the FOSS Maven-based Java libraries shows that small and medium libraries (less than 100KLoC) have disproportionately more leverage on FOSS dependencies in comparison to large libraries. We show that leverage pays off as leveraged libraries only add a 4% delay in the time interval between library releases while providing four times more code than their own. However, libraries with such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds of being vulnerable in comparison to the libraries with lower leverage. We provide an online demo for computing the proposed metrics for real-world software libraries available under the following URL: https://techleverage.eu/

AB - In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities. We aim to understand the level of technical leverage in the FOSS ecosystem and whether it can be a potential source of security vulnerabilities. Also, we introduce two metrics change distance and change direction to capture the amount and the evolution of the dependency on third-party libraries. The application of the proposed metrics on 8494 distinct library versions from the FOSS Maven-based Java libraries shows that small and medium libraries (less than 100KLoC) have disproportionately more leverage on FOSS dependencies in comparison to large libraries. We show that leverage pays off as leveraged libraries only add a 4% delay in the time interval between library releases while providing four times more code than their own. However, libraries with such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds of being vulnerable in comparison to the libraries with lower leverage. We provide an online demo for computing the proposed metrics for real-world software libraries available under the following URL: https://techleverage.eu/

KW - Dependencies

KW - Empirical analysis

KW - Free open source software

KW - Leverage

KW - Maven

KW - Software security

KW - Technical debt

KW - Vulnerabilities

UR - http://www.scopus.com/inward/record.url?scp=85106532226&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85106532226&partnerID=8YFLogxK

U2 - 10.1109/ICSE43902.2021.00125

DO - 10.1109/ICSE43902.2021.00125

M3 - Conference contribution

AN - SCOPUS:85106532226

T3 - Proceedings - International Conference on Software Engineering

SP - 1386

EP - 1397

BT - 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

PB - IEEE Computer Society

Y2 - 22 May 2021 through 30 May 2021

ER -

Technical leverage in a software ecosystem: Development opportunities and security risks

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Handle.net

Other files and links

Fingerprint

Cite this