A socio-technical perspective on software vulnerabilities: A causal analysis

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS Information and Software Technology Pub Date : 2024-08-24 DOI:10.1016/j.infsof.2024.107553
Carlos Paradis , Rick Kazman , Mike Konrad
{"title":"A socio-technical perspective on software vulnerabilities: A causal analysis","authors":"Carlos Paradis ,&nbsp;Rick Kazman ,&nbsp;Mike Konrad","doi":"10.1016/j.infsof.2024.107553","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><p>Software development organizations are composed of people working together towards a common goal. These people are connected in networks. The effectiveness of these networks seems like it would be an essential consideration for the effectiveness of the organization as a whole, but does network effectiveness actually matter?</p></div><div><h3>Objective:</h3><p>In this paper, we seek to understand whether causal relationships exist between the maintenance effort spent on files implicated in software vulnerabilities and suboptimal social behaviors – social smells – within that project’s developer community.</p></div><div><h3>Methods:</h3><p>To gain insight into this question, we chose to study OpenSSL and over 100 of its published vulnerabilities. We performed a socio-technical analysis on OpenSSL to understand whether social smells could be causally linked to the effort to maintain files implicated in vulnerabilities.</p></div><div><h3>Results:</h3><p>Our results indicate that this is the case: Social smells are, in fact, causally linked to the maintenance effort surrounding files implicated in software vulnerabilities.</p></div><div><h3>Conclusion:</h3><p>This result has significant implications for the management of software projects. These insights may motivate and help to guide project managers and architects to also focus on team communications, and not merely on technical quality measures such as bug rates or feature velocity. Social interactions among a project’s team members matter, and smells can be measured and monitored.</p></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"176 ","pages":"Article 107553"},"PeriodicalIF":3.8000,"publicationDate":"2024-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584924001587","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Context:

Software development organizations are composed of people working together towards a common goal. These people are connected in networks. The effectiveness of these networks seems like it would be an essential consideration for the effectiveness of the organization as a whole, but does network effectiveness actually matter?

Objective:

In this paper, we seek to understand whether causal relationships exist between the maintenance effort spent on files implicated in software vulnerabilities and suboptimal social behaviors – social smells – within that project’s developer community.

Methods:

To gain insight into this question, we chose to study OpenSSL and over 100 of its published vulnerabilities. We performed a socio-technical analysis on OpenSSL to understand whether social smells could be causally linked to the effort to maintain files implicated in vulnerabilities.

Results:

Our results indicate that this is the case: Social smells are, in fact, causally linked to the maintenance effort surrounding files implicated in software vulnerabilities.

Conclusion:

This result has significant implications for the management of software projects. These insights may motivate and help to guide project managers and architects to also focus on team communications, and not merely on technical quality measures such as bug rates or feature velocity. Social interactions among a project’s team members matter, and smells can be measured and monitored.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
从社会技术角度看软件漏洞:因果分析
背景:软件开发组织是由为共同目标而工作的人员组成的。这些人通过网络联系在一起。这些网络的有效性似乎对整个组织的有效性至关重要,但网络的有效性是否真的重要呢?目的:在本文中,我们试图了解在软件漏洞文件上花费的维护精力与该项目开发者社区中的次优社会行为(社会气味)之间是否存在因果关系。我们对 OpenSSL 进行了社会技术分析,以了解社会气味是否与维护涉及漏洞的文件的努力有因果关系:结论:这一结果对软件项目的管理具有重要意义。这些见解可能会激励并帮助指导项目经理和架构师关注团队交流,而不仅仅是错误率或功能速度等技术质量指标。项目团队成员之间的社交互动非常重要,而且可以对社交互动进行测量和监控。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Information and Software Technology
Information and Software Technology 工程技术-计算机:软件工程
CiteScore
9.10
自引率
7.70%
发文量
164
审稿时长
9.6 weeks
期刊介绍: Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.
期刊最新文献
A software product line approach for developing hybrid software systems Evaluating the understandability and user acceptance of Attack-Defense Trees: Original experiment and replication On the road to interactive LLM-based systematic mapping studies Top-down: A better strategy for incremental covering array generation Editorial Board
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1