Centre for Internet & Society

Securing Our Dependence on Code Reuse in Software

Securing Our Dependence on Code Reuse in Software

Dividing and breaking up a software project into smaller modules with functionality that can be reused to build other software is an increasingly common practice in software development today. We examine our infrastructural dependence on reuse of open-source software (OSS) components, examine the unique security risks posed by the widespread reuse of code, and survey systemic solutions to securing code reuse.

Dividing and breaking up a software project into smaller modules with functionality that can be reused to build other software is an increasingly common practice in software development today. Much of this reuse happens in the form of open-source software (OSS) packages, i.e. software whose source code is openly available on the internet with a permissive licence which allows for its reuse and modification. A study that analysed the composition of over 2400 commercial software applications from seventeen industries found that, on average, 78% of the code used to build them was open-source software – indicating that code reuse is not merely supplemental, but foundational to software development processes today. Relying on domain experts to build and maintain the functionality that is ancillary to a software application’s primary purpose saves effort and allows application developers to focus on their own work domains. For instance, a developer building a video conferencing application – such as Zoom – may reuse an open-source library called ffmpeg to encode and decode video streams, or another open-source component, OpenSSL, to encrypt and decrypt the encoded streams as they are transmitted over the internet, rather than reimplementing this functionality from scratch.

Despite the well-known practical benefits of code reuse and its prevalence in all of the digital products and services our society relies on, several security incidents in widely used OSS projects have shown that such projects are often underfunded and under-maintained. The ‘Heartbleed’ vulnerability most clearly illustrates this. In 2014, a security vulnerability in the OpenSSL software library – which is widely used to encrypt web traffic – affected about one-fifth of the servers on the internet. Malicious actors could have exploited this vulnerability to decrypt all of the data that these servers handled and even impersonated them.

In this report, we examine our infrastructural dependence on reuse of OSS components and develop an understanding of the security risks posed by the widespread reuse of code that is developed and maintained by untrusted individuals and organisations that have no obligation to provide these services or any subsequent support.

We present an analysis of common security issues in OSS packages, with a focus on the unique security issues that arise in the tooling and processes used to store, distribute and operate reused code. Finally, we survey solutions and frameworks which seek to address some of these issues on a systemic level.

This report is primarily aimed at regulators, technical decision-makers and organisations invested in furthering research in this area. It can also serve as a starting point for software developers who want to learn about the common security pitfalls of using OSS components and how they can avoid them.

Click to download the full report

Filed under:
The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.

Meta

Author

Divyank Katira

Open Data

Events

Funded by

 

Offices

Bengaluru: #32, 1st Floor, 2nd Block, Austin Town, Viveka Nagar, Bengaluru, Karnataka 560047.

 

null

 

Support Us

Please help us defend citizen and user rights on the Internet!

You may donate online via Instamojo. Or, write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at Ground Floor, No 173, 9th Cross, 2nd Stage, Indiranagar, Bangalore 560038. These charitable contributions will be towards the Institutional Corpus Fund of the Centre for Internet and Society.

Follow our Works

Newsletter: Subscribe

researchers@work blog: medium.com/rawblog

Twitter (CIS): @cis_india

Twitter (CIS-A2K): @cisa2k

Instagram: @cis.india

Youtube: Centre for Internet and Society

Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to us at communications[at]cis-india[dot]org with an indication of the form and the content of the collaboration you might be interested in.

In general, we offer financial support for collaborative/invited works only through public calls.

About Us

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and regulatory practices around internet, technology, and society in India, and elsewhere.

© Centre for Internet & Society

Unless otherwise specified, content licensed under Creative Commons — Attribution 3.0 Unported.