Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities

Robert  Lagerstrom; Carliss Y. Baldwin; Alan   MacCormack; Daniel  J. Sturtevant; Lee  Doolan

Other Article | Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS)

Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities

by Robert Lagerstrom, Carliss Y. Baldwin, Alan MacCormack, Daniel J. Sturtevant and Lee Doolan

Abstract

Employing software metrics, such as size and complexity, for predicting defects has been given a lot of attention over the years and proven very useful. However, the few studies looking at software architecture and vulnerabilities are limited in scope and findings. We explore the relationship between software vulnerabilities and component metrics (like code churn and cyclomatic complexity), as well as architecture coupling metrics (direct, indirect, and cyclic coupling). Our case is based on the Google Chromium project, an open source project that has not been studied for this topic yet. Our findings show a strong relationship between vulnerabilities and both component level metrics and architecture coupling metrics. 68% of the files associated with a vulnerability are cyclically coupled, compared to 43% of the non-vulnerable files. Our best regression model is a combination of low commenting, high code churn, high direct fan-out within the main cyclic group, and high direct fan-in outside of the main cyclic group.

Keywords: Security vulnerabilities; Software architecture; metrics; Software; Complexity; Measurement and Metrics;

Format: Print

Find at Harvard Read Now

Citation:

Lagerstrom, Robert, Carliss Y. Baldwin, Alan MacCormack, Daniel J. Sturtevant, and Lee Doolan. "Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities." Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS) 9th (2017): 53–69. (Part of Lecture Notes in Computer Science, ISSN 0302-9743.)

The purpose of this chapter is to present analytic tools based on functional maps that can be used to identify investment opportunities and to formulate strategy in large, evolving technical systems. I argue that the points of value creation and value capture in a technical system are the system’s bottlenecks. Bottlenecks arise first as important technical problems to be solved. Once the problem is solved, the solution in combination module boundaries and property rights can be used to capture a stream of rents. In this chapter I extend the functional mapping techniques developed in the last chapter to locate technical and strategic bottlenecks, modules, and property rights. I then show how these analytic tools can be used to construct narratives explaining the dynamics of three nascent technical systems: early aircraft, high-speed steel in machine tools, and container shipping.

Working Paper | HBS Working Paper Series | 2018

Design Rules, Volume 2: How Technology Shapes Organizations: Chapter 5 Complementarity

Carliss Y. Baldwin

The purpose of this chapter is to relate the theory of task networks and technology set forth in previous chapters to theories of firm boundaries from economics and management. Complementary goods have more value when used together than separately. Complementarity may be strong or weak. Strong complements are specific and unique goods that have no value (or greatly diminished value) unless all are present in use. In the task network, dense technical interdependencies create strong complementarity, but it can arise for other reasons as well.
Transaction cost economics and property rights theory advise that strong complements should be placed under unified governance, for example, through common ownership. Agency theory suggests that weak complementarity can be handled via arms-length transactions and contracts. Furthermore, strong or weak complementarity are not innate properties of tasks and assets, but can be the result of choices regarding task networks, incentives and job design.
Supermodular complementarity exists when more of one input makes more of another input more valuable. Distributed supermodular complementarity (DSMC) exists when two or more independent actors can create complementary value by pursuing their own interests, and will not find it advantageous to combine in order to coordinate their actions. I derive formal conditions under which DSMC holds as a consistent pattern in a dynamic equilibrium. Given DSMC, clusters of firms making different complementary goods, including open platforms with surrounding ecosystems, can survive and compete effectively against integrated firms that control all complementary inputs.

Keywords: Complementarity;

Citation:

Baldwin, Carliss Y. "Design Rules, Volume 2: How Technology Shapes Organizations: Chapter 5 Complementarity." Harvard Business School Working Paper, No. 19-036, October 2018. View Details

Cite View Details Read Now

Faculty & Research

Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities

Abstract

Citation:

About the Authors

More from these Authors