Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities

Robert  Lagerstrom; Carliss Y. Baldwin; Alan   MacCormack; Daniel  J. Sturtevant; Lee  Doolan

Other Article | Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS)

Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities

by Robert Lagerstrom, Carliss Y. Baldwin, Alan MacCormack, Daniel J. Sturtevant and Lee Doolan

Abstract

Employing software metrics, such as size and complexity, for predicting defects has been given a lot of attention over the years and proven very useful. However, the few studies looking at software architecture and vulnerabilities are limited in scope and findings. We explore the relationship between software vulnerabilities and component metrics (like code churn and cyclomatic complexity), as well as architecture coupling metrics (direct, indirect, and cyclic coupling). Our case is based on the Google Chromium project, an open source project that has not been studied for this topic yet. Our findings show a strong relationship between vulnerabilities and both component level metrics and architecture coupling metrics. 68% of the files associated with a vulnerability are cyclically coupled, compared to 43% of the non-vulnerable files. Our best regression model is a combination of low commenting, high code churn, high direct fan-out within the main cyclic group, and high direct fan-in outside of the main cyclic group.

Keywords: Security vulnerabilities; Software architecture; metrics; Software; Complexity; Measurement and Metrics;

Format: Print

Find at Harvard Read Now

Citation:

Lagerstrom, Robert, Carliss Y. Baldwin, Alan MacCormack, Daniel J. Sturtevant, and Lee Doolan. "Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities." Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS) 9th (2017): 53–69. (Part of Lecture Notes in Computer Science, ISSN 0302-9743.)

Working Paper | HBS Working Paper Series | 2019

Design Rules, Volume 2: How Technology Shapes Organizations: Chapter 8 Rationalizing Flow Processes

Carliss Y. Baldwin

The purpose of this chapter is to examine the value structure of flow production processes and to explain why it is necessary to rationalize flow processes using the tools of systematic management. I first explain the problems facing managers of multi-step flow production processes at the end of the 19th Century. I introduce a model of the value structure of a production process made up of interdependent steps and define the production bottleneck of the process. I use the mathematical definition of a bottleneck to derive two general properties of stochastic multi-step flow processes with bottlenecks. These properties imply a need for ongoing managerial oversight and intervention using a set of tools that went by the label systematic management. Without active systematic management to address production bottlenecks, large-scale flow processes can easily collapse into chaos. I then argue that that the use of automated machinery, larger (or growing) markets, and systematic management are supermodular complements: each attribute makes the other two more valuable. The next chapter will explore how the technological requirements of multi-step flow production processes affect the optimal design of organizations implementing these technologies.

Keywords: flow processes; bottleneck; systematic management; Production; Management; Problems and Challenges;

Citation:

Baldwin, Carliss Y. "Design Rules, Volume 2: How Technology Shapes Organizations: Chapter 8 Rationalizing Flow Processes." Harvard Business School Working Paper, No. 20-032, September 2019. View Details

Cite View Details Read Now

The purpose of this chapter is to explain what the technologies of flow production with stochastic bottlenecks require and reward in organizations. I argue that organizations successfully implementing these technologies are likely to have unified governance and exercise direct authority over process design, job definitions, and task assignments. As they come to employ more people, they will create hierarchical management structures as a means of managing information flows and delegating decision rights. Finally from the early 20th Century through the present, most of these organizations saw advantage in being legally organized as corporations, which could own assets, enter into contracts, and employ individuals in their own right. The result was a “paradigm” of mass production—a cluster of concepts that came to define both “big business” and “high technology” in the United States and elsewhere. Throughout the middle years of the 20th Century, many members of society took for granted the fact that successful businesses using advanced technology would be organized as large, vertically integrated corporations, exercise direct authority, and use managerial hierarchies to channel information and delegate responsibility.

The purpose of this chapter is to explore how technologies and organizations engaged in flow production evolve over time. To allow for an apples-to-apples comparison, I examine organizations using essentially the same physical technologies, making similar products, and competing in the same markets. Specifically, I look at the organizational differences among the largest automakers in the United States and Japan. I focus first on Ford between 1910 and 1930, then on General Motors from the 1920s through the 1960s, then Toyota (and other Japanese automakers) from the 1960s through 2000. The differences among these organizations show that while technology shapes organizations within broad limits, it does not determine an organization’s complete design nor its long-term competitive success.

Faculty & Research

Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities

Abstract

Citation:

About the Authors

More from these Authors