MSR 2020
Mon 29 - Tue 30 June 2020
co-located with ICSE 2020
Tue 30 Jun 2020 11:48 - 12:00 at MSR:Zoom2 - Security Chair(s): Dimitris Mitropoulos

Context: The Heartbleed vulnerability brought OpenSSL to interna- tional attention in 2014. The almost moribund project was a key security component in public web servers and over a billion mobile devices. This vulnerability led to new investments in OpenSSL.

Objective: The goal of this study is to determine how the Heart- bleed vulnerability changed the software evolution of OpenSSL. We study changes in vulnerabilities, code quality, project activity, and software engineering practices.

Method: We use a mixed methods approach, collecting multiple types of quantitative data and qualitative data from web sites and interviews with project members. We use regression discontinuity analysis to determine changes in levels and slopes of code and project activity metrics resulting from Heartbleed.

Results: The OpenSSL project made tremendous improvements to code quality and security after Heartbleed. By the end of 2016, the number of commits per month had tripled, 91 vulnerabilities were found and fixed, code complexity decreased significantly, and OpenSSL obtained a CII best practices badge, certifying its use of good open source development practices.

Conclusions: The OpenSSL project provides a model of how an open source project can adapt and improve after a security event. The evolution of OpenSSL shows that the number of known vulner- abilities is not a useful indicator of project security. A small number of vulnerabilities may simply indicate that a project does not ex- pend much effort to finding vulnerabilities. This study suggests that project activity and CII badge best practices may be better indicators of code quality and security than vulnerability counts.

Tue 30 Jun
Times are displayed in time zone: (UTC) Coordinated Universal Time change

11:00 - 12:00: SecurityTechnical Papers / Data Showcase at MSR:Zoom2
Chair(s): Dimitris MitropoulosAthens University of Economics and Business

Q/A & Discussion of Session Papers over Zoom (Joining info available on Slack)

11:00 - 11:12
Live Q&A
Did You Remember To Test Your Tokens?MSR - Technical Paper
Technical Papers
Danielle GonzalezRochester Institute of Technology, USA, Michael RathTechnische Universit├Ąt Ilmenau, Mehdi MirakhorliRochester Institute of Technology
DOI Pre-print Media Attached
11:12 - 11:24
Live Q&A
Automatically Granted Permissions in Android appsMSR - Technical Paper
Technical Papers
Paolo Calciati IMDEA Software Institute, Konstantin KuznetsovSaarland University, CISPA, Alessandra GorlaIMDEA Software Institute, Andreas ZellerCISPA Helmholtz Center for Information Security
Media Attached
11:24 - 11:36
Live Q&A
PUMiner: Mining Security Posts from Developer Question and Answer Websites with PU LearningMSR - Technical Paper
Technical Papers
Triet Le Huynh MinhThe University of Adelaide, David Hin, Roland Croft, Muhammad Ali BabarThe University of Adelaide
DOI Pre-print Media Attached
11:36 - 11:48
Live Q&A
A C/C++ Code Vulnerability Dataset with Code Changes and CVE SummariesMSR - Data Showcase
Data Showcase
A: Jiahao FanNew Jersey Institute of Technology, USA, A: Yi LiNew Jersey Institute of Technology, USA, A: Shaohua WangNew Jersey Institute of Technology, USA, A: Tien N. NguyenUniversity of Texas at Dallas
Media Attached
11:48 - 12:00
Live Q&A
The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSLMSR - Technical Paper
Technical Papers
James WaldenNorthern Kentucky University
Pre-print Media Attached