Is Popularity an Indicator of Software Security?

Although numerous research attempts can be found in the related literature focusing on the ability of software-related factors (e.g. software metrics) to indicate the existence of vulnerabilities in software applications, none of them have demonstrated perfect results. In addition, none of the existing studies have focused on the popularity of software products, which is an important characteristic of open-source software applications and libraries. To this end, in this paper, the ability of popularity (i.e. utilization) to indicate the existence of vulnerabilities and, in turn, to highlight the internal security level of software products is investigated. For this purpose, a relatively large software repository based on well-known libraries retrieved from the Maven Repository was constructed and its security was analyzed using a widely-used open-source static code analyzer. Correlation analysis was employed in order to examine whether a statistically significant correlation exists between the security and popularity of the selected software products. The preliminary results of the analysis suggest that popularity may not constitute a reliable indicator of the security level of software products. To the best of our knowledge, this is the first study that examines the relationship between the popularity of software products and their security level.