Measuring FOSS Dependencies in Software Projects
In finance, leverage is the ratio between assets borrowed from others and one’s own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people’s code to multiply the offered functionalities with a much smaller own codebase. In finance as in software, leverage magnifies profits when returns from borrowing exceed costs of integration, but it may also magnify losses, in particular in the presence of security vulnerabilities.
In this talk, I will introduce the concept of technical leverage and present its level on the sample of 8494 distinct library versions from the FOSS Maven-based Java libraries. Then I will discuss the actual opportunities and security risks that technical leverage presents to software developers of small-medium libraries (own code smaller than 100K lines of code) and the developers of big libraries with their own code bigger than 100K lines of code.
We also provide an online demo for computing the technical leverage for real-world software libraries available under the following URL: https://techleverage.eu/
Speakers: Ivan Pashchenko