Open Source Software Projects Needing Security Investments

Some open source software (OSS) is widely used and depended on, and yet not received the level of security analysis appropriate to its importance. This paper describes our work to help identify OSS projects that may especially need investment for security by identifying and using metrics. We performed a literature search, identified promising metrics and potentially-concerning software packages to investigate, developed a specific approach, and applied it to identify a set of OSS projects that we believe are especially concerning. We have focused on automatically gathering metrics, especially those that suggest less active projects. For our initial set of projects to examine we took the set of software packages installed by Debian base and added packages that we or others identified as potentially concerning; we could easily add more projects to consider in the future.