IRIS

The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (e. g., development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.

On the security cost of using a free and open source component in a proprietary product / Dashevskyi, Stanislav; Brucker, Achim D.; Massacci, Fabio. - STAMPA. - 9639:(2016), pp. 190-206. (Intervento presentato al convegno 8th International Symposium, ESSoS 2016 tenutosi a London, UK, nel April 6–8, 2016.) [10.1007/978-3-319-30806-7_12].

On the security cost of using a free and open source component in a proprietary product

Dashevskyi, Stanislav;Massacci, Fabio
2016-01-01

Abstract

The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (e. g., development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.
2016
Engineering Secure Software and Systems
Svizzera
Springer International Publishing
978-3-319-30805-0
2-s2.0-84962376509
Dashevskyi, Stanislav; Brucker, Achim D.; Massacci, Fabio
On the security cost of using a free and open source component in a proprietary product / Dashevskyi, Stanislav; Brucker, Achim D.; Massacci, Fabio. - STAMPA. - 9639:(2016), pp. 190-206. (Intervento presentato al convegno 8th International Symposium, ESSoS 2016 tenutosi a London, UK, nel April 6–8, 2016.) [10.1007/978-3-319-30806-7_12].
File in questo prodotto:
File Dimensione Formato  
dashevskyi.ea-foss-costs-2016.pdf

accesso aperto

Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 567.28 kB
Formato Adobe PDF
Visualizza/Apri
567.28 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/169321
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 8
  • ???jsp.display-item.citation.isi??? ND
social impact