Measuring subversions: security and legal risk in reused software artifacts

Author(s): Julius Davies
Venue: 33rd International Conference on Software Engineering (ICSE), 2011
Date: 21-28 May 2011

Type of Experiement: Case Study
Sample Size: 81
Class/Experience Level: Graduate Student
Data Collection Method: Code Metric, Project Artifact(s)


This paper proposes that there are long-term costs associated with the use of third-party artifacts (such as libraries), including legal and security risks. The author describes that the use of software written by third-parties is astronomically large, and uses a manual technique for discovering any legal or security risks that come from reusing software artifacts.

The author argues that the standard software construction is currently built upon a large base of third-party components. Software reuse is a natural tendency, and is widely regarded as a best practice. The author goes on to say that most current research does not extend past the immediate costs of using third-party components, but rather focuses on the costs -- both monetary and time costs -- of integrating components.

To show these long-term costs, the author searches “repositories, project websites, and other resources” for any licensing changes or security holes that have been made publicly available regarding the individual components used in a particular software project. The author notes other similar searches of legal or security changes that have been taken on as research in the past, but notes that they differ from previous work in that security vulnerabilities are also being searched and tested within the product under scrutiny.

Using only the artifacts themselves to search for documentation, the author found reliable legal and security information for over 90% of the artifacts used in his sample. Of the 81 libraries and components searched, the authors technique was able to identify one large legal risk and one publicly-known security risk. Being able to discover risks in reused components illustrates that the long-term costs of reused software artifacts is something that needs to be studied more. Furthermore, large projects must be careful when it comes to integrating third-party components -- even one security or legal risk is too much.