TY - CHAP AU - Dashevskyi, Stanislav AU - Brucker, Achim D. AU - Massacci, Fabio ED - Caballero, Juan ED - Bodden, Eric PY - 2016 DA - 2016// TI - On the Security Cost of Using a Free and Open Source Component in a Proprietary Product BT - International Symposium on Engineering Secure Software and Systems (ESSoS) T3 - Lecture Notes in Computer Science SP - 190 EP - 206 IS - 9639 PB - Springer-Verlag CY - Heidelberg KW - Free and Open Source Software usage, Free and Open Source Software vulnerabilities, security maintenance costs AB - The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (\eg, development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product. SN - 978-3-642-11746-6 L1 - https://www.brucker.ch/bibliography/download/2016/dashevskyi.ea-foss-costs-2016.pdf UR - https://www.brucker.ch/bibliography/abstract/dashevskyi.ea-foss-costs-2016 UR - https://doi.org/10.1007/978-3-319-30806-7_12 DO - 10.1007/978-3-319-30806-7_12 LA - USenglish ID - dashevskyi.ea:foss-costs:2016 ER -