{"title":"A socio-technical perspective on software vulnerabilities: A causal analysis","authors":"Carlos Paradis , Rick Kazman , Mike Konrad","doi":"10.1016/j.infsof.2024.107553","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><p>Software development organizations are composed of people working together towards a common goal. These people are connected in networks. The effectiveness of these networks seems like it would be an essential consideration for the effectiveness of the organization as a whole, but does network effectiveness actually matter?</p></div><div><h3>Objective:</h3><p>In this paper, we seek to understand whether causal relationships exist between the maintenance effort spent on files implicated in software vulnerabilities and suboptimal social behaviors – social smells – within that project’s developer community.</p></div><div><h3>Methods:</h3><p>To gain insight into this question, we chose to study OpenSSL and over 100 of its published vulnerabilities. We performed a socio-technical analysis on OpenSSL to understand whether social smells could be causally linked to the effort to maintain files implicated in vulnerabilities.</p></div><div><h3>Results:</h3><p>Our results indicate that this is the case: Social smells are, in fact, causally linked to the maintenance effort surrounding files implicated in software vulnerabilities.</p></div><div><h3>Conclusion:</h3><p>This result has significant implications for the management of software projects. These insights may motivate and help to guide project managers and architects to also focus on team communications, and not merely on technical quality measures such as bug rates or feature velocity. Social interactions among a project’s team members matter, and smells can be measured and monitored.</p></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"176 ","pages":"Article 107553"},"PeriodicalIF":3.8000,"publicationDate":"2024-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584924001587","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Context:
Software development organizations are composed of people working together towards a common goal. These people are connected in networks. The effectiveness of these networks seems like it would be an essential consideration for the effectiveness of the organization as a whole, but does network effectiveness actually matter?
Objective:
In this paper, we seek to understand whether causal relationships exist between the maintenance effort spent on files implicated in software vulnerabilities and suboptimal social behaviors – social smells – within that project’s developer community.
Methods:
To gain insight into this question, we chose to study OpenSSL and over 100 of its published vulnerabilities. We performed a socio-technical analysis on OpenSSL to understand whether social smells could be causally linked to the effort to maintain files implicated in vulnerabilities.
Results:
Our results indicate that this is the case: Social smells are, in fact, causally linked to the maintenance effort surrounding files implicated in software vulnerabilities.
Conclusion:
This result has significant implications for the management of software projects. These insights may motivate and help to guide project managers and architects to also focus on team communications, and not merely on technical quality measures such as bug rates or feature velocity. Social interactions among a project’s team members matter, and smells can be measured and monitored.
期刊介绍:
Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include:
• Software management, quality and metrics,
• Software processes,
• Software architecture, modelling, specification, design and programming
• Functional and non-functional software requirements
• Software testing and verification & validation
• Empirical studies of all aspects of engineering and managing software development
Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information.
The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.