“Always Contribute Back”:
A Qualitative Study on Security Challenges of the Open Source Supply Chain
In a study consisting of 25 interviews with software developers, architects, and engineers from industry software projects, we found that open source components play an important role in many projects, and that most projects have policies or best practices for including external code, but many developers desire more resources for auditing included components.

Publication #


First page of the preprint
“Always Contribute Back”: A Qualitative Study on Security Challenges of the Open Source Supply Chain
Dominik Wermke, Jan H. Klemmer, Noah Wöhler, Juliane Schmüser, Harshini Sri Ramulu, Yasemin Acar and Sascha Fahl.
44th IEEE Symposium on Security and Privacy (S&P'23), May 22-25, 2023.

Abstract

Open source components are ubiquitous in companies’ setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors, as well as the obligation to assess and mitigate the impact of vulnerabilities in external components.

In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects’ processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants’ projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.

Acknowledgements #

We want to acknowledge and thank all interviewees for their participation. We appreciate your industry-insider knowledge and your valuable time that you have generously given. We hope that with this work and your contribution, we can support industry and open source communities on their journey towards a more secure, shared software ecosystem. Last but not least, we thank the anonymous reviewers for their valuable feedback.

Artifacts #

In line with the effort to support replication of our work and help other researchers build upon it, we provide a replication package.

Filename Description
interview-guide.pdf Interview Guide
codebook.pdf Codebook used for interview coding

Cite This Work #

@inproceedings{conf-oakland-wermke23,
	title	  = {``Always Contribute Back'': A Qualitative Study on Security Challenges of the Open Source Supply Chain},
	author    = {Dominik Wermke and
			  Jan H. Klemmer and
			  Noah Wöhler and
			  Juliane Schmüser and
			  Harshini Sri Ramulu and
			  Yasemin Acar and
			  Sascha Fahl},
	booktitle = {In Proceedings of the 44th IEEE Symposium on Security and Privacy (IEEE S\&P'23)},
	month     = may,
	year      = {2023},
	publisher = {IEEE Computer Society},
	url		  = {https://www.ieee-security.org/TC/SP2023/program-papers.html},
}