"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain

Dominik Wermke; Jan H. Klemmer; Noah Wöhler; Juliane Schmüser; Harshini Sri Ramulu; Yasemin Acar; Sascha Fahl

doi:10.1109/SP46215.2023.10179378

"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain

Dominik Wermke^*
, Jan H. Klemmer
, Noah Wöhler
, Juliane Schmüser
, Harshini Sri Ramulu
, Yasemin Acar
, Sascha Fahl

^*Korrespondierende*r Autor*in für diese Arbeit

Fachgebiet Empirische Informationssicherheit

Publikation: Beitrag in Buch/Bericht/Sammelwerk/Konferenzband › Aufsatz in Konferenzband › Forschung › Peer-Review

Abstract

Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components.In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.

Originalsprache	Englisch
Titel des Sammelwerks	44th IEEE Symposium on Security and Privacy
Untertitel	SP 2023
Herausgeber (Verlag)	Institute of Electrical and Electronics Engineers Inc.
Seiten	1545-1560
Seitenumfang	16
ISBN (elektronisch)	9781665493369
DOIs	https://doi.org/10.1109/SP46215.2023.10179378
Publikationsstatus	Veröffentlicht - 2023
Veranstaltung	44th IEEE Symposium on Security and Privacy, SP 2023 - Hybrid, San Francisco, USA / Vereinigte Staaten Dauer: 22 Mai 2023 → 25 Mai 2023

Publikationsreihe

Name	Proceedings - IEEE Symposium on Security and Privacy
Band	2023-May
ISSN (Print)	1081-6011

Konferenz

Konferenz	44th IEEE Symposium on Security and Privacy, SP 2023
Land/Gebiet	USA / Vereinigte Staaten
Ort	Hybrid, San Francisco
Zeitraum	22 Mai 2023 → 25 Mai 2023

ASJC Scopus Sachgebiete

Sicherheit, Risiko, Zuverlässigkeit und Qualität
Software
Computernetzwerke und -kommunikation

Zugriff auf Dokument

10.1109/SP46215.2023.10179378

https://figshare.com/articles/conference_contribution/_Always_Contribute_Back_A_Qualitative_Study_on_Security_Challenges_of_the_Open_Source_Supply_Chain/24614688Lizenz: Nicht angegeben

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

Dieses zitieren

Wermke, D., Klemmer, J. H., Wöhler, N., Schmüser, J., Ramulu, H. S., Acar, Y., & Fahl, S. (2023). "Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain. in 44th IEEE Symposium on Security and Privacy: SP 2023 (S. 1545-1560). (Proceedings - IEEE Symposium on Security and Privacy; Band 2023-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP46215.2023.10179378

@inproceedings{3b46e41e90c244a497f7849ea1e9bf2a,

title = "{"}Always Contribute Back{"}: A Qualitative Study on Security Challenges of the Open Source Supply Chain",

abstract = "Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components.In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.",

keywords = "developers, interviews, open-source, supply-chain, usable-security",

author = "Dominik Wermke and Klemmer, \{Jan H.\} and Noah W{\"o}hler and Juliane Schm{\"u}ser and Ramulu, \{Harshini Sri\} and Yasemin Acar and Sascha Fahl",

note = "Funding Information: This work is supported in part by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany{\textquoteright}s Excellence Strategy – EXC 2092 CASA – 390781972, NSF grant CNS-2206865, and the Google Research Scholar program. Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies. We want to thank all interviewees for their participation and appreciate the industry-insider knowledge and valuable time that they have generously given. We also thank the anonymous reviewers for their valuable feedback.; 44th IEEE Symposium on Security and Privacy, SP 2023 ; Conference date: 22-05-2023 Through 25-05-2023",

year = "2023",

doi = "10.1109/SP46215.2023.10179378",

language = "English",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1545--1560",

booktitle = "44th IEEE Symposium on Security and Privacy",

address = "United States",

}

Wermke, D, Klemmer, JH, Wöhler, N, Schmüser, J, Ramulu, HS, Acar, Y & Fahl, S 2023, "Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain. in 44th IEEE Symposium on Security and Privacy: SP 2023. Proceedings - IEEE Symposium on Security and Privacy, Bd. 2023-May, Institute of Electrical and Electronics Engineers Inc., S. 1545-1560, 44th IEEE Symposium on Security and Privacy, SP 2023, Hybrid, San Francisco, USA / Vereinigte Staaten, 22 Mai 2023. https://doi.org/10.1109/SP46215.2023.10179378

"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain. / Wermke, Dominik; Klemmer, Jan H.; Wöhler, Noah et al.
44th IEEE Symposium on Security and Privacy: SP 2023. Institute of Electrical and Electronics Engineers Inc., 2023. S. 1545-1560 (Proceedings - IEEE Symposium on Security and Privacy; Band 2023-May).

Publikation: Beitrag in Buch/Bericht/Sammelwerk/Konferenzband › Aufsatz in Konferenzband › Forschung › Peer-Review

TY - GEN

T1 - "Always Contribute Back"

T2 - 44th IEEE Symposium on Security and Privacy, SP 2023

AU - Wermke, Dominik

AU - Klemmer, Jan H.

AU - Wöhler, Noah

AU - Schmüser, Juliane

AU - Ramulu, Harshini Sri

AU - Acar, Yasemin

AU - Fahl, Sascha

N1 - Funding Information: This work is supported in part by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC 2092 CASA – 390781972, NSF grant CNS-2206865, and the Google Research Scholar program. Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies. We want to thank all interviewees for their participation and appreciate the industry-insider knowledge and valuable time that they have generously given. We also thank the anonymous reviewers for their valuable feedback.

PY - 2023

Y1 - 2023

N2 - Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components.In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.

AB - Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components.In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.

KW - developers

KW - interviews

KW - open-source

KW - supply-chain

KW - usable-security

UR - https://www.scopus.com/pages/publications/85166475408

U2 - 10.1109/SP46215.2023.10179378

DO - 10.1109/SP46215.2023.10179378

M3 - Conference contribution

AN - SCOPUS:85166475408

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1545

EP - 1560

BT - 44th IEEE Symposium on Security and Privacy

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 22 May 2023 through 25 May 2023

ER -

Wermke D, Klemmer JH, Wöhler N, Schmüser J, Ramulu HS, Acar Y et al. "Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain. in 44th IEEE Symposium on Security and Privacy: SP 2023. Institute of Electrical and Electronics Engineers Inc. 2023. S. 1545-1560. (Proceedings - IEEE Symposium on Security and Privacy). doi: 10.1109/SP46215.2023.10179378