Measuring Subversions: Security and Legal Risk in Reused Software Artifacts

Julius Davies
University of Victoria, Canada

A software system often includes a set of library dependencies and other software artifacts necessary for the system's proper operation. However, long-term maintenance problems related to reused software can gradually emerge over the lifetime of the deployed system. In our exploratory study we propose a manual technique to locate documented security and legal problems in a set of reused software artifacts. We evaluate our technique with a case study of 81 Java libraries found in a proprietary e-commerce web application. Using our approach we discovered both a potential legal problem with one library, and a second library that was affected by a known security vulnerability. These results support our larger thesis: software reuse entails long-term maintenance costs. In future work we strive to develop automated techniques by which developers, managers, and other software stakeholders can measure, address, and minimize these costs over the lifetimes of their software assets.