research-article

Secure open source collaboration: an empirical study of linus' law

Authors:

Andrew Meneely,

Laurie WilliamsAuthors Info & Claims

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Pages 453 - 462

https://doi.org/10.1145/1653662.1653717

Published: 09 November 2009 Publication History

Abstract

Open source software is often considered to be secure. One factor in this confidence in the security of open source software lies in leveraging large developer communities to find vulnerabilities in the code. Eric Raymond declares Linus' Law "Given enough eyeballs, all bugs are shallow." Does Linus' Law hold up ad infinitum? Or, can the multitude of developers become "too many cooks in the kitchen", causing the system's security to suffer as a result? In this study, we examine the security of an open source project in the context of developer collaboration. By analyzing version control logs, we quantified notions of Linus' Law as well as the "too many cooks in the kitchen" viewpoint into developer activity metrics. We performed an empirical case study by examining correlations between the known security vulnerabilities in the open source Red Hat Enterprise Linux 4 kernel and developer activity metrics. Files developed by otherwise-independent developer groups were more likely to have a vulnerability, supporting Linus' Law. However, files with changes from nine or more developers were 16 times more likely to have a vulnerability than files changed by fewer than nine developers, indicating that many developers changing code may have a detrimental effect on the system's security.

References

[1]

C. Bird, D. Pattison, R. D'Souza et al., "Latent Social Structures in Open Source Projects," in FSE, Atlanta, GA, 2008, p. p24--36.

Digital Library

[2]

U. Brandes, and T. Erlebach, Network Analysis: Methodological Foundations, Berlin: Springer, 2005.

Digital Library

[3]

F. Brooks, The mythical man--month: Addison-Wesley, 1995.

Digital Library

[4]

A. Endres, and D. Rombach, A Handbook of Software and Systems Engineering: Empirical Observations, Laws and Theories: Addison Wesley, 2003.

[5]

M. Girvan, and M. E. J. Newman, "Community Structure in Social and Biological Networks," The Proceedings of the National Academy of Sciences, vol. 99, no. 12, p. 7821--7826, 2001.

[6]

J. M. Gonzales-Barahona, L. Lopez-Fernandez, and G. Robles, "Applying Social Network Analysis to the Information in CVS Repositories," in 2005 Mining Software Repositories, Edinburgh, Scotland, United Kingdom, 2004, p.

[7]

J.-H. Hoepman, and B. Jacobs, "Increased security through open source," Commun. ACM, vol. 50, no. 1, p. 79--83, 2007.

Digital Library

[8]

ISO, ISO/IEC DIS 14598--1 Information Technology - Software Product Evaluation, 1996.

[9]

M. M. Lehman, and L. Belady, Program Evolution: Processes of Software Change, London: Academic Press, 1985.

Digital Library

[10]

M. M. Lehman, and J. F. Ramil, "Rules and Tools for Software Evolution Planning and Management," Annals of Software Engineering, vol. 11, no. 1, p. 15--44, 2001.

Digital Library

[11]

M. M. Lehman, J. F. Ramil, P. D. Wernick et al., "Metrics and Laws of Software Evolution --- The Nineties View," in 4th International Software Metrics Symposium (METRICS'97), Albuquerque, NM, 1997, p. 20--32.

Digital Library

[12]

A. M. Martinez, and A. C. Kak, "PCA versus LDA," IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 23, no. 2, p. 228--233, 2001.

Digital Library

[13]

A. Meneely, L. Williams, J. Osborne et al., "Predicting Failures with Developer Networks and Social Network Analysis " in Foundations in Software Engineering, Atlanta, GA, 2008, p. to appear.

Digital Library

[14]

N. Nagappan, and T. Ball, "Use of Relative Code Churn Measures to Predict System Defect Density," in 27th International Conference on Software Engineering, St. Louis, MO, USA, 2005, p. 284--292.

Digital Library

[15]

N. Nagappan, B. Murphy, and V. R. Basili, "The Influence of Organizational Structure on Software Quality," in International Conference on Software Engineering, Leipzig, Germany, 2008, p. 521--530.

Digital Library

[16]

K. Numata, S. Imoto, and S. Miyano, "A Structure Learning Algorithm for Inference of Gene Networks from Microarray Gene Expression Data Using Bayesian Networks," in Bioinformatics and Bioengineering, 2007. BIBE 2007., p. 1280--1284.

[17]

M. Pinzger, N. Nagappan, and B. Murphy, "Can Developer-Module Networks Predict Failures?," in Foundations in Software Engineering, Atlanta, GA, 2008, p. 2--12.

Digital Library

[18]

M. Pinzger, N. Nagappan, and B. Murphy, "Can Developer-Module Networks Predict Failures?," in Foundations in Software Engineering, Atlanta, GA, 2008, p. to appear.

Digital Library

[19]

E. S. Raymond, The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary, Sebastopol, California: O'Reilly and Associates, 1999.

Digital Library

[20]

N. F. Schneidewind, "Methodology For Validating Software Metrics," IEEE Transactions on Software Engineering, vol. 18, no. 5, p. 410--422, 1992.

Digital Library

[21]

Y. Shin, A. Meneely, L. Williams et al., "Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities," NCSU CSC Technical Report TR-2009-10, submitted to IEEE TSE.

[22]

K. Tae-Kyun, and J. Kittler, "Locally linear discriminant analysis for multimodally distributed classes for face recognition with a single model image," Pattern Analysis and Machine Intelligence, IEEE Transactions on, vol. 27, no. 3, p. 318--327, 2005.

Digital Library

[23]

B. Witten, C. Landwehr, and M. Caloyannides, "Does Open Source Improve System Security?," IEEE Softw., vol. 18, no. 5, p. 57--61, 2001.

Digital Library

[24]

I. H. Witten, and E. Frank, Data Mining: Practical machine learning tools and techniques, 2 ed., San Francisco: Morgan Kaufmann, 2005.

Digital Library

Cited By

Chughtai MBibi IKarim SShah SLaghari AKhan A(2024)Deep learning trends and future perspectives of web security and vulnerabilitiesJournal of High Speed Networks10.3233/JHS-23003730:1(115-146)Online publication date: 10-Jan-2024
https://doi.org/10.3233/JHS-230037
Wu YLiu CXu ZZhang LZhang YZhu ZLiu YFilkov VRay BZhou M(2024)The Software Genome Project: Unraveling Software Through Genetic PrinciplesProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695307(2319-2323)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695307
Thongtanunam PTantithamthavorn C(2024)Code Ownership: The Principles, Differences, and Their Associations with Software Quality2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE62328.2024.00044(379-390)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSRE62328.2024.00044
Show More Cited By

Index Terms

Secure open source collaboration: an empirical study of linus' law
1. Software and its engineering
  1. Software creation and management
    1. Software development techniques
      1. Reusability
        Software product lines
    2. Software verification and validation
      1. Process validation

Recommendations

Strengthening the empirical analysis of the relationship between Linus' Law and software security
ESEM '10: Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement

Open source software is often considered to be secure because large developer communities can be leveraged to find and fix security vulnerabilities. Eric Raymond states Linus' Law as "many eyes make all bugs shallow", reasoning that a diverse set of ...
Open Source Licensing: Software Freedom and Intellectual Property Law
Open Source License Inconsistencies on GitHub
Almost all software, open or closed, builds on open source software and therefore needs to comply with the license obligations of the open source code. Not knowing which licenses to comply with poses a legal danger to anyone using open source software. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

November 2009

664 pages

ISBN:9781605588940

DOI:10.1145/1653662

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Somesh Jha
University of Wisconsin, USA
,
Angelos D. Keromytis
Columbia University, USA and Symantec Research Labs Europe, France

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 9 - 13, 2009

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

96
Total Citations
View Citations
1,130
Total Downloads

Downloads (Last 12 months)56
Downloads (Last 6 weeks)3

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chughtai MBibi IKarim SShah SLaghari AKhan A(2024)Deep learning trends and future perspectives of web security and vulnerabilitiesJournal of High Speed Networks10.3233/JHS-23003730:1(115-146)Online publication date: 10-Jan-2024
https://doi.org/10.3233/JHS-230037
Wu YLiu CXu ZZhang LZhang YZhu ZLiu YFilkov VRay BZhou M(2024)The Software Genome Project: Unraveling Software Through Genetic PrinciplesProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695307(2319-2323)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695307
Thongtanunam PTantithamthavorn C(2024)Code Ownership: The Principles, Differences, and Their Associations with Software Quality2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE62328.2024.00044(379-390)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSRE62328.2024.00044
Widder DWhittaker MWest S(2024)Why ‘open’ AI systems are actually closed, and why this mattersNature10.1038/s41586-024-08141-1635:8040(827-833)Online publication date: 27-Nov-2024
https://doi.org/10.1038/s41586-024-08141-1
Yuan XLin GMei HTai YZhang J(2024)Software vulnerable functions discovery based on code composite featureJournal of Information Security and Applications10.1016/j.jisa.2024.10371881:COnline publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2024.103718
Zahan NShohan SHarris DWilliams L(2023)Do Software Security Practices Yield Fewer Vulnerabilities?2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)10.1109/ICSE-SEIP58684.2023.00032(292-303)Online publication date: May-2023
https://doi.org/10.1109/ICSE-SEIP58684.2023.00032
Vale GCosta HApel S(2023)Predicting merge conflicts considering social and technical assetsEmpirical Software Engineering10.1007/s10664-023-10395-829:1Online publication date: 15-Dec-2023
https://doi.org/10.1007/s10664-023-10395-8
Budde C(2023)Using Statistical Model Checking for Cybersecurity AnalysisDigital Sovereignty in Cyber Security: New Challenges in Future Vision10.1007/978-3-031-36096-1_2(16-32)Online publication date: 16-Jun-2023
https://doi.org/10.1007/978-3-031-36096-1_2
Zahan NZimmermann TGodefroid PMurphy BMaddila CWilliams LHarman MMiller H(2022)What are weak links in the npm supply chain?Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice10.1145/3510457.3513044(331-340)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510457.3513044
Bao LXia XHassan AYang XDwyer MDamian DZeller A(2022)V-SZZProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510113(2352-2364)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510113
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten