Security Knowledge Management in Open Source Software Communities

  • Shao-Fang WenEmail author
  • Mazaher KianpourEmail author
  • Basel KattEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11359)


Open source software (OSS) communities are groups of individuals, technical or non-technical, interacting with collaborating peers in online communities of practices to develop OSS, solve particular software problems and exchange ideas. People join OSS communities with a different level of programming skills and experience and might lack formal, college-level software security training. There remains a lot of confusion in participants’ mind as to what is secured code and what the project wants. Another problem is that the huge amount of available software security information nowadays has resulted in a form of information overload to software engineers, who usually finish studying it with no clue about how to apply those principles properly to their own applications. This leads to a knowledge gap between knowledge available and knowledge required to build secure applications in the context of software projects. Given the increased importance and complexity of OSS in today’s world, lacking proper security knowledge to handle vulnerabilities in OSS development will result in breaches that are more serious in the future. The goal of this research work is to fill the knowledge gap by providing an artifact that would facilitate the effective security-knowledge transferring and learning in the context of OSS development. In this work-in-progress paper, we present our ongoing research work following design science research methodology on the domain problem identification and the development of the artifact.


Software security Open source software Knowledge management 


  1. 1.
    Humes, L.L.: Communities of practice for open source software. In: Handbook of Research on Open Source Software: Technological, Economic, and Social Perspectives, pp. 610–623. IGI Global (2007)Google Scholar
  2. 2.
    Scacchi, W., et al.: Understanding free/open source software development processes. Softw. Process: Improv. Pract. 11(2), 95–105 (2006)CrossRefGoogle Scholar
  3. 3.
    Feller, J., Fitzgerald, B.: Understanding Open Source Software Development. Addison-Wesley, London (2002)Google Scholar
  4. 4.
    Feller, J., Finnegan, P., Kelly, D., MacNamara, M.: Developing open source software: a community-based analysis of research. In: Trauth, E.M., Howcroft, D., Butler, T., Fitzgerald, B., DeGross, J.I. (eds.) Social Inclusion: Societal and Organizational Implications for Information Systems. IIFIP, vol. 208, pp. 261–278. Springer, Boston, MA (2006). Scholar
  5. 5.
    NorthBridge: 2016 Future of Open Source Survey.
  6. 6.
    BlackDuck Software: 2017 Open Source Security and Risk Analysis.
  7. 7.
    Wen, S.-F.: Software security in open source development: a systematic literature review. In: Proceedings of the 21st Conference of Open Innovations Association FRUCT, Helsinki, Finland (2017)Google Scholar
  8. 8.
    Pittenger, M.: Know your open source code. Netw. Secur. 2016(5), 11–15 (2016)CrossRefGoogle Scholar
  9. 9.
    Levy, J.: Top Open Source Security Vulnerabilities. WhiteSource Blog. Accessed 22 June 2018
  10. 10.
    Agrawal, A., et al.: We Don’t Need Another Hero? The Impact of “Heroes” on Software Development. arXiv preprint arXiv:1710.09055 (2017)
  11. 11.
    Benbya, H., Belbaly, N.: Understanding developers’ motives in open source projects: a multi-theoretical framework (2010)Google Scholar
  12. 12.
    Jaatun, M.G., et al.: A lightweight approach to secure software engineering. In: A Multidisciplinary Introduction to Information Security, p. 183 (2011)Google Scholar
  13. 13.
    McGraw, G.: Software Security: Building Security In, vol. 1. Addison-Wesley Professional, Boston (2006)Google Scholar
  14. 14.
    Apvrille, A., Pourzandi, M.: Secure software development by example. IEEE Secur. Priv. 3(4), 10–17 (2005)CrossRefGoogle Scholar
  15. 15.
    Wen, S.-F.: Hyper contextual software security management for open source software. In: STPIS@ CAiSE (2016)Google Scholar
  16. 16.
    Mead, N.R., et al.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional, Boston (2004)Google Scholar
  17. 17.
    Viega, J., McGraw, G.R.: Building Secure Software: How to Avoid Security Problems the Right Way (2001)Google Scholar
  18. 18.
    Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC). IEEE (2011)Google Scholar
  19. 19.
    Graff, M., Van Wyk, K.R.: Secure Coding: Principles and Practices. O’Reilly Media, Inc., Sebastopol (2003)Google Scholar
  20. 20.
    Birkenkrahe, M.: How large multi-nationals manage their knowledge. Bus. Rev. 4(2), 2–12 (2002)Google Scholar
  21. 21.
    Vaishnavi, V., Kuechler, W.: Design research in information systems (2004)Google Scholar
  22. 22.
    Von Alan, R.H., et al.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004)CrossRefGoogle Scholar
  23. 23.
    Sharp, H., Dittrich, Y., de Souza, C.R.: The role of ethnographic studies in empirical software engineering. IEEE Trans. Softw. Eng. 42(8), 786–804 (2016)CrossRefGoogle Scholar
  24. 24.
    Baxter, G., Sommerville, I.: Socio-technical systems: from design methods to systems engineering. Interact. Comput. 23(1), 4–17 (2011)CrossRefGoogle Scholar
  25. 25.
    Kuhn, D.R., Raunak, M., Kacker, R.: An analysis of vulnerability trends, 2008–2016. In: 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). IEEE (2017)Google Scholar
  26. 26.
    May, T.: Social Research. McGraw-Hill Education, New York (UK) (2011)Google Scholar
  27. 27.
    Scacchi, W.: Understanding the requirements for developing open source software systems. In: IEE Proceedings–Software. IET (2002)Google Scholar
  28. 28.
    Kowalski, S.: IT insecurity: a multi-discipline inquiry. Ph.D. thesis, Department of Computer and System Sciences, University of Stockholm and Royal Institute of Technology, Sweden (1994). ISBN 91-7153-207-2Google Scholar
  29. 29.
    Al Sabbagh, B., Kowalski, S.: A socio-technical framework for threat modeling a software supply chain. In: The 2013 Dewald Roode Workshop on Information Systems Security Research, Niagara Falls, New York, USA, 4–5 October 2013. International Federation for Information Processing (2013)Google Scholar
  30. 30.
    Bider, I., Kowalski, S.: A framework for synchronizing human behavior, processes and support systems using a socio-technical approach. In: Bider, I., et al. (eds.) BPMDS/EMMSAD -2014. LNBIP, vol. 175, pp. 109–123. Springer, Heidelberg (2014). Scholar
  31. 31.
    Karokola, G., Yngström, L., Kowalski, S.: Secure e-government services: a comparative analysis of e-government maturity models for the developing regions–the need for security services. Int. J. Electron. Gov. Res. (IJEGR) 8(1), 1–25 (2012)CrossRefGoogle Scholar
  32. 32.
    Wahlgren, G., Kowalski, S.: Evaluation of escalation maturity model for IT security risk management: a design science work in progress. In: The 2014 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13. IFIP (2014)Google Scholar
  33. 33.
    Anttila, J., et al.: Fulfilling the needs for information security awareness and learning in information society. In: The 6th Annual Security Conference, Las Vegas (2007)Google Scholar
  34. 34.
    Pan, S.L., Scarbrough, H.: Knowledge management in practice: an exploratory case study. Technol. Anal. Strateg. Manag. 11(3), 359–374 (1999)CrossRefGoogle Scholar
  35. 35.
    Al Sabbagh, B., Kowalski, S.: Developing social metrics for security modeling the security culture of it workers individuals (case study). In: 2012 Mosharaka International Conference on Communications, Computers and Applications (MIC-CCA). IEEE (2012)Google Scholar
  36. 36.
    Gruber, T.R.: A translation approach to portable ontology specifications. Knowl. Acquisition 5(2), 199–220 (1993)CrossRefGoogle Scholar
  37. 37.
    Wand, Y., Storey, V.C., Weber, R.: An ontological analysis of the relationship construct in conceptual modeling. ACM Trans. Database Syst. (TODS) 24(4), 494–528 (1999)CrossRefGoogle Scholar
  38. 38.
    Gruber, T.R.: Toward principles for the design of ontologies used for knowledge sharing? Int. J. Hum. Comput. Stud. 43(5–6), 907–928 (1995)CrossRefGoogle Scholar
  39. 39.
    Uschold, M., Gruninger, M.: Ontologies: principles, methods and applications. Knowl. Eng. Rev. 11(2), 93–136 (1996)CrossRefGoogle Scholar
  40. 40.
    Noy, N.F., McGuinness, D.L.: Ontology development 101: a guide to creating your first ontology. Stanford Knowledge Systems Laboratory Technical Report KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880, Stanford, CA (2001)Google Scholar
  41. 41.
    Wang, X., et al.: Semantic space: an infrastructure for smart spaces. IEEE Pervasive Comput. 3(3), 32–39 (2004)MathSciNetCrossRefGoogle Scholar
  42. 42.
    Gruninger, M.: Ontology: applications and design. Commun. ACM 45(2), 39–41 (2002)CrossRefGoogle Scholar
  43. 43.
    Khan, M.U.A., Zulkernine, M.: Quantifying security in secure software development phases. In: 32nd Annual IEEE International Computer Software and Applications, COMPSAC 2008. IEEE (2008)Google Scholar
  44. 44.
    Chandra, P.: The Software Assurance Maturity Model-A guide to building security into software development (2009)Google Scholar
  45. 45.
    Landwehr, C.E., et al.: A taxonomy of computer program security flaws. ACM Comput. Surv. (CSUR) 26(3), 211–254 (1994)CrossRefGoogle Scholar
  46. 46.
    MITRE: Common Weakness Enumeration, Frequently Asked Questions.
  47. 47.
    O’donnell, A.M., Dansereau, D.F., Hall, R.H.: Knowledge maps as scaffolds for cognitive processing. Educ. Psychol. Rev. 14(1), 71–86 (2002)CrossRefGoogle Scholar
  48. 48.
    Tudorache, T., et al.: WebProtégé: a collaborative ontology editor and knowledge acquisition tool for the web. Semant. Web 4(1), 89–99 (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Norwegian University of Science and TechnologyGjøvikNorway

Personalised recommendations