Measuring Software Diversity, with Applications to Security
This addresses security risks from low software diversity for software developers and security analysts, but is incremental as it applies an existing ecological measure to a new domain.
The paper tackled the problem of measuring software diversity by adapting the Shannon-Weiner index from ecology to assess real software ecosystems, discovering a software monopoly with key security implications.
In this work, we briefly introduce and discuss some of the diversity measures used in Ecology. After a succinct description and analysis of the most relevant ones, we single out the Shannon-Weiner index. We justify why it is the most informative and relevant one for measuring software diversity. Then, we show how it can be used for effectively assessing the diversity of various real software ecosystems. We discover in the process a frequently overlooked software monopoly, and its key security implications. We finally extract some conclusions from the results obtained, focusing mostly on their security implications.