SECURE PROGRAMMING PRACTICES AND OPEN-SOURCE SYSTEMS
EMPIRICAL INVESTIGATION
Keywords:
secure programming, open-source systems, cloud computing, static analysis, vulnerabilities, unsafe functionsAbstract
In the era of Open-Source Systems (OSS), security is one of the most important issues that have a direct impact on the reliability of software systems. Security can significantly be affected by the way programmers write their code and their level of proficiency when it comes to secure programming practices. In many problem domains, open-source systems are written by participants with sufficient experience in their fields. However, it is not unusual for some of those participants to have a limited background in secure programming practices. A study that examines the presence, prevalence, and distribution of code vulnerabilities in scientificOpen-Source systems is presented. This empirical investigation statically analyzes three systemsdeveloped in C and C++ languages comprising over three million lines of source code. The study aimed to provide empirical evidence that shows some of the common vulnerabilities that are introduced to the open-source systems during the implementation phase. The findings are meant to be used for designing proper training courses and enhancing the academic computing curriculum. A cloud-based analysis tool developed by a team from the University of Wisconsin is used in this study. The findings confirm the presence and show the distribution of some vulnerabilities in the code introduced by programmers confirming the need for proper relevant training and education.
References
St. Laurent, Andrew M. (2008). “Understanding Open Source and Free Software Licensing.”, O'Reilly Media. p. 4. ISBN 9780596553951.
Levine, Sheen S.; Prietula, Michael J. (30 December 2013). "Open Collaboration for Innovation: Principles and Performance". Organization Science. ISSN 1047-7039.
D. Cubranic, K.S. Booth, “Coordinating open-source software development”, IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises. Stanford CA (16-18 Jun 1999), pp. 61-66
J. J. Heiss.,“The meanings and motivations of open-source communities.”, Aug 2007, from Oracle,http://www.oracle.com/technetwork/articles/java/opensource-phipps-137190.html.
L. Pascarella, F. Palomba, M. Di Penta, and A. Bacchelli, "How Is Video Game Development Different from Software Development in Open Source?," 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR), Gothenburg, 2018, pp. 392-402.
E. Crifasi, S. Pike, Z. Stuedemann, S. M. Alnaeli and Z. Altahat, "Cloud-Based Source Code Security and Vulnerabilities Analysis Tool for C/C++ Software Systems," 2018
IEEE International Conference on Electro/Information Technology (EIT), Rochester, MI, 2018, pp. 0651-0654, doi: 10.1109/EIT.2018.8500206.
M. Block, B. Barcaskey, A. Nimmo, S. Alnaeli, I. Gilbert and Z. Altahat, "Scalable Cloud-Based Tool to Empirically Detect Vulnerable Code Patterns in Large-Scale System," 2020 IEEE International Conference on Electro Information Technology (EIT), Chicago, IL, USA, 2020, pp. 588-592, doi: 10.1109/EIT48999.2020.9208325.
D. Wahyudin, A. Schatten, D. Winkler, and S. Biffl, "Aspects of Software Quality Assurance in Open Source Software Projects: Two Case Studies from Apache Project," 33rd EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO 2007), Lubeck, 2007, pp. 229-236, doi: 10.1109/EUROMICRO.2007.19.
Y. Joonseok, R. Duksan, and B. Jongmoon, "Improvingvulnerability prediction accuracy with Secure Coding Standardviolation measures," in 2016 International Conference on BigData and Smart Computing (BigComp), 2016, pp. 115-122.
M. Howard. “Security Development Lifecycle (SDL) BannedFunction Calls” [Online].
Available:https://msdn.microsoft.com/en-us/library/bb288454.aspx
Z. Xu and G. Liu, "STACKEEPER: A Static Source Code Analyzer to Detect Stack- based Uninitialized Use Vulnerabilities," 2018 IEEE 4th International Conference on Computer and Communications (ICCC), Chengdu, China, 2018, pp. 2180-2184, doi: 10.1109/CompComm.2018.8780675.
N. Meng, S. Nagy, D. Yao, W. Zhuang, and G. Arango-Argoty, "Secure Coding Practices in Java: Challenges and Vulnerabilities," 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), Gothenburg, 2018, pp. 372-383, doi: 10.1145/3180155.3180201.
Gilad David Maayan, “The Dangers of Open-Source Vulnerabilities, and What You Can Do About It”, Aug 19, 2019, https://securitytoday.com/articles/2019/08/19/
M. L. Collard, M. J. Decker, and J. I. Maletic, "LightweightTransformation and Fact Extraction with the srcML Toolkit,"presented at the SCAM'11, Williamsburg, VA, USA, 2011.
C.C. Michael. S. Lavenhar, “Source Code Analysis Tools - Overview,” CISA Cyber Infrastructure, 2013.
J. Viega, J. T. Bloch, Y. Kohno, and G. McGraw, "ITS4: a static vulnerability scanner for C and C++ code," in Computer Security Applications, 2000. ACSAC '00. 16th Annual Conference, 2000, pp. 257-267
L. Dong, W. Dong and L. Chen, "Invalid Pointer Dereferences Detection for CPS Software Based on Extended Pointer Structures," 2012 IEEE Sixth International Conference on Software Security and Reliability Companion, Gaithersburg, MD, 2012, pp. 144-151, doi: 10.1109/SERE-C.2012.30.
The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD. “Vulnerability Summary for the Week of September 14, 2020” [Online]. Available:https://us-cert.cisa.gov/ncas/bulletins/sb20-265
Downloads
Published
Issue
Section
License
Copyright (c) 2020 Journal of Basic Sciences
This work is licensed under a Creative Commons Attribution 4.0 International License.
