An Empirical Study on Security Knowledge Sharing and Learning in Open Source Software Communities

Abstract

pen source software (OSS) security has been the focus of the security community and practitioners over the past decades. However, the number of new vulnerabilities keeps increasing in today’s OSS systems. With today’s increasingly important and complex OSS, lacking software security knowledge to handle security vulnerabilities in OSS development will result in more breaches that are serious in the future. Learning software security is a difficult and challenging task since the domain is quite context specific and the real project situation is necessary to apply the security concepts within the specific system. Many OSS proponents believe that the OSS community offers significant learning opportunities from its best practices. However, studies that specifically explore security knowledge sharing and learning in OSS communities are scarce. This research is intended to fill this gap by empirically investigating factors that affect knowledge sharing and learning about software security and the relationship among them. A conceptual model is proposed that helps to conceptualize the linkage between socio-technical practices and software security learning processes in OSS communities. A questionnaire and statistical analytical techniques were employed to test hypothesized relationships in the model to gain a better understanding of this research topic.