523 research outputs found
Security considerations in the open source software ecosystem
Open source software plays an important role in the software supply chain, allowing stakeholders to
utilize open source components as building blocks in their software, tooling, and infrastructure. But
relying on the open source ecosystem introduces unique challenges, both in terms of security and trust,
as well as in terms of supply chain reliability.
In this dissertation, I investigate approaches, considerations, and encountered challenges of stakeholders in the context of security, privacy, and trustworthiness of the open source software supply
chain. Overall, my research aims to empower and support software experts with the knowledge and
resources necessary to achieve a more secure and trustworthy open source software ecosystem. In the
first part of this dissertation, I describe a research study investigating the security and trust practices
in open source projects by interviewing 27 owners, maintainers, and contributors from a diverse set
of projects to explore their behind-the-scenes processes, guidance and policies, incident handling, and
encountered challenges, finding that participants’ projects are highly diverse in terms of their deployed
security measures and trust processes, as well as their underlying motivations. More on the consumer
side of the open source software supply chain, I investigated the use of open source components in
industry projects by interviewing 25 software developers, architects, and engineers to understand their
projects’ processes, decisions, and considerations in the context of external open source code, finding
that open source components play an important role in many of the industry projects, and that most
projects have some form of company policy or best practice for including external code. On the side of
end-user focused software, I present a study investigating the use of software obfuscation in Android
applications, which is a recommended practice to protect against plagiarism and repackaging. The
study leveraged a multi-pronged approach including a large-scale measurement, a developer survey, and
a programming experiment, finding that only 24.92% of apps are obfuscated by their developer, that
developers do not fear theft of their own apps, and have difficulties obfuscating their own apps. Lastly,
to involve end users themselves, I describe a survey with 200 users of cloud office suites to investigate
their security and privacy perceptions and expectations, with findings suggesting that users are generally
aware of basic security implications, but lack technical knowledge for envisioning some threat models.
The key findings of this dissertation include that open source projects have highly diverse security
measures, trust processes, and underlying motivations. That the projects’ security and trust needs are
likely best met in ways that consider their individual strengths, limitations, and project stage, especially
for smaller projects with limited access to resources. That open source components play an important
role in industry projects, and that those projects often have some form of company policy or best
practice for including external code, but developers wish for more resources to better audit included
components.
This dissertation emphasizes the importance of collaboration and shared responsibility in building and maintaining the open source software ecosystem, with developers, maintainers, end users,
researchers, and other stakeholders alike ensuring that the ecosystem remains a secure, trustworthy, and
healthy resource for everyone to rely on
Towards energy-aware coding practices for Android
This paper studies how the use of different coding practices when developing Android applications influence energy consumption. We consider two common Java/Android programming practices, namely string operations and (non) cached image loading, and we show the energy profile of different coding practices for doing them. With string operations, we compare the performance of the usage of the standard String class to the usage of the StringBuilder class, while with our second practice we evaluate the benefits of image caching with asynchronous loading. We externally measure energy consumption of the example applications using the Trepn profiler application by Qualcomm. Our preliminary results show that selected coding practices do significantly affect energy consumption, in the particular cases of our practice selection, this difference varies between 20% and 50%.This work is funded by the Slovak Research and
Development Agency under the contract No. SK-PT2015-0037 and by the Portugal-Slovakia Cooperation FCT
Project (Ref. 441), and by the ERDF – European Regional
Development Fund through the Operational Programme
for Competitiveness and Internationalisation - COMPETE
2020 Programme and by National Funds through the
Portuguese funding agency, FCT – Fundacão para a
CiĂŞncia e a Tecnologia within project POCI-01-0145-
FEDER-016718
- …