A socio-technical perspective on software vulnerabilities: A causal analysis

Abstract

Context:Software development organizations are composed of people working together towards a common goal. These people are connected in networks. The effectiveness of these networks seems like it would be an essential consideration for the effectiveness of the organization as a whole, but does network effectiveness actually matter? Objective:In this paper, we seek to understand whether causal relationships exist between the maintenance effort spent on files implicated in software vulnerabilities and suboptimal social behaviors – social smells – within that project’s developer community. Methods:To gain insight into this question, we chose to study OpenSSL and over 100 of its published vulnerabilities. We performed a socio-technical analysis on OpenSSL to understand whether social smells could be causally linked to the effort to maintain files implicated in vulnerabilities. Results:Our results indicate that this is the case: Social smells are, in fact, causally linked to the maintenance effort surrounding files implicated in software vulnerabilities. Conclusion:This result has significant implications for the management of software projects. These insights may motivate and help to guide project managers and architects to also focus on team communications, and not merely on technical quality measures such as bug rates or feature velocity. Social interactions among a project’s team members matter, and smells can be measured and monitored.