Technical leverage in a software ecosystem: Development opportunities and security risks

Fabio Massacci, Ivan Pashchenko

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities. We aim to understand the level of technical leverage in the FOSS ecosystem and whether it can be a potential source of security vulnerabilities. Also, we introduce two metrics change distance and change direction to capture the amount and the evolution of the dependency on third-party libraries. The application of the proposed metrics on 8494 distinct library versions from the FOSS Maven-based Java libraries shows that small and medium libraries (less than 100KLoC) have disproportionately more leverage on FOSS dependencies in comparison to large libraries. We show that leverage pays off as leveraged libraries only add a 4% delay in the time interval between library releases while providing four times more code than their own. However, libraries with such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds of being vulnerable in comparison to the libraries with lower leverage. We provide an online demo for computing the proposed metrics for real-world software libraries available under the following URL: https://techleverage.eu/

Original languageEnglish
Title of host publication2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)
Subtitle of host publication[Proceedings]
PublisherIEEE Computer Society
Pages1386-1397
Number of pages12
ISBN (Electronic)9780738113197
ISBN (Print)9781665402965
DOIs
Publication statusPublished - 7 May 2021
Event43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021 - Virtual, Online, Spain
Duration: 22 May 202130 May 2021

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Conference

Conference43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021
Country/TerritorySpain
CityVirtual, Online
Period22/05/2130/05/21

Bibliographical note

Funding Information:
We would like to thank A.Brucker, G. Kuper and P.Tonella for their insightful comments on early drafts of this work. The graphical abstract for this paper is an artwork by Anna Formi-lan http://annaformilan.com. This work was partly funded by the European Union under the H2020 Programme under grant n. 952647 (AssureMOSS).

Publisher Copyright:
© 2021 IEEE.

Funding

We would like to thank A.Brucker, G. Kuper and P.Tonella for their insightful comments on early drafts of this work. The graphical abstract for this paper is an artwork by Anna Formi-lan http://annaformilan.com. This work was partly funded by the European Union under the H2020 Programme under grant n. 952647 (AssureMOSS).

FundersFunder number
H2020 Programme
Horizon 2020 Framework Programme952647
European Commission

    Keywords

    • Dependencies
    • Empirical analysis
    • Free open source software
    • Leverage
    • Maven
    • Software security
    • Technical debt
    • Vulnerabilities

    Fingerprint

    Dive into the research topics of 'Technical leverage in a software ecosystem: Development opportunities and security risks'. Together they form a unique fingerprint.

    Cite this