TeamUSEC

Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors

Sabrina Amft, Sandra Höltervennhoff, Rebecca Panskus, Karola Marky and Sascha Fahl.
In 45th IEEE Symposium on Security and Privacy, IEEE S&P 2024, May 20-23, 2024, San Francisco, USA
PDF Abstract Cite URL

Abstract

To increase open-source software supply chain security, protecting the development environment of contributors against attacks is crucial. For example, contributors must protect authentication credentials for software repositories, code-signing keys, and their systems from malware.

Previous incidents illustrated that open-source contributors struggle with protecting their development environment. In contrast to companies, open-source software projects cannot easily enforce security guidelines for development environments. Instead, contributors’ security setups are likely heterogeneous regarding chosen technologies and strategies.

To the best of our knowledge, we perform the first in-depth qualitative investigation of the security of open-source software contributors’ individual security setups, their motivation, decision-making, and sentiments, and the potential impact on open-source software supply chain security. Therefore, we conduct 20 semi-structured interviews with a diverse set of experienced contributors to critical open-source software projects.

Overall, we find that contributors have a generally high affinity for security. However, security practices are rarely discussed in the community or enforced by projects. Furthermore, we see a strong influence of social mechanisms, such as trust, respect, or politeness, further impeding the sharing of security knowledge and best practices.

We conclude our work with a discussion of the impact of our findings on open-source software and supply chain security, and make recommendations for the open-source software community.

Reference

@inproceedings{conf/oakland/amft24,
author = {Sabrina Amft and
		Sandra Höltervennhoff and
		Rebecca Panskus and
		Karola Marky and
		Sascha Fahl},
title = {Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors},

 booktitle = {In 45th IEEE Symposium on Security and Privacy, IEEE S&P 2024, May 20-23, 2024},
 month = {May},
 publisher = {IEEE Computer Society},
 url = {https://www.ieee-security.org/TC/SP2024/accepted-papers.html},
 year = {2024}
}