On the Security Cost of Using a Free and Open Source Component in a Proprietary Product

By Stanislav Dashevskyi, Achim D. Brucker, and Fabio Massacci.

The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (, development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.

Keywords:
Free and Open Source Software Usage, Free and Open Source Software Vulnerabilities, Security Maintenance Costs

Please cite this work as follows:
S. Dashevskyi, A. D. Brucker, and F. Massacci, “On the security cost of using a free and open source component in a proprietary product,” in International symposium on engineering secure software and systems (ESSoS), J. Caballero and E. Bodden, Eds. Heidelberg: Springer-Verlag, 2016, pp. 190–206. doi: 10.1007/978-3-319-30806-7_12. Author copy: http://logicalhacking.com/publications/dashevskyi.ea-foss-costs-2016/

BibTeX
@InCollection{ dashevskyi.ea:foss-costs:2016,
  author    = {Stanislav Dashevskyi and Achim D. Brucker and Fabio
               Massacci},
  booktitle = {International Symposium on Engineering Secure Software and
               Systems (ESSoS)},
  language  = {USenglish},
  editor    = {Juan Caballero and Eric Bodden},
  publisher = {Springer-Verlag },
  address   = {Heidelberg },
  series    = {Lecture Notes in Computer Science },
  title     = {On the Security Cost of Using a Free and Open Source
               Component in a Proprietary Product},
  year      = {2016},
  pages     = {190--206},
  number    = {9639},
  isbn      = {978-3-642-11746-6},
  doi       = {10.1007/978-3-319-30806-7_12},
  areas     = {security, software},
  abstract  = {The work presented in this paper is motivated by the need to
               estimate the security effort of consuming Free and Open Source
               Software (FOSS) components within a proprietary software
               supply chain of a large European software vendor. To this
               extent we have identified three different cost models:
               centralized (the company checks each component and propagates
               changes to the different product groups), distributed (each
               product group is in charge of evaluating and fixing its
               consumed FOSS components), and hybrid (only the least used
               components are checked individually by each development team).
               We investigated publicly available factors (\eg, development
               activity such as commits, code size, or fraction of code size
               in different programming languages) to identify which one has
               the major impact on the security effort of using a FOSS
               component in a larger software product.},
  keywords  = {Free and Open Source Software Usage, Free and Open Source
               Software Vulnerabilities, Security Maintenance Costs},
  note      = {Author copy: \url{http://logicalhacking.com/publications/dashevskyi.ea-foss-costs-2016/}},
}