TY - GEN

T1 - Everyone for Themselves?

T2 - 45th IEEE Symposium on Security and Privacy, SP 2024

AU - Amft, Sabrina

AU - Höltervennhoff, Sandra

AU - Panskus, Rebecca

AU - Marky, Karola

AU - Fahl, Sascha

N1 - Publisher Copyright: © 2024 IEEE.

PY - 2024/5/19

Y1 - 2024/5/19

N2 - To increase open-source software supply chain security, protecting the development environment of contributors against attacks is crucial. For example, contributors must protect authentication credentials for software repositories, code-signing keys, and their systems from malware.Previous incidents illustrated that open-source contributors struggle with protecting their development environment. In contrast to companies, open-source software projects cannot easily enforce security guidelines for development environments. Instead, contributors' security setups are likely heterogeneous regarding chosen technologies and strategies.To the best of our knowledge, we perform the first in-depth qualitative investigation of the security of open-source software contributors' individual security setups, their motivation, decision-making, and sentiments, and the potential impact on open-source software supply chain security. Therefore, we conduct 20 semi-structured interviews with a diverse set of experienced contributors to critical open-source software projects.Overall, we find that contributors have a generally high affinity for security. However, security practices are rarely discussed in the community or enforced by projects. Furthermore, we see a strong influence of social mechanisms, such as trust, respect, or politeness, further impeding the sharing of security knowledge and best practices.We conclude our work with a discussion of the impact of our findings on open-source software and supply chain security, and make recommendations for the open-source software community.

AB - To increase open-source software supply chain security, protecting the development environment of contributors against attacks is crucial. For example, contributors must protect authentication credentials for software repositories, code-signing keys, and their systems from malware.Previous incidents illustrated that open-source contributors struggle with protecting their development environment. In contrast to companies, open-source software projects cannot easily enforce security guidelines for development environments. Instead, contributors' security setups are likely heterogeneous regarding chosen technologies and strategies.To the best of our knowledge, we perform the first in-depth qualitative investigation of the security of open-source software contributors' individual security setups, their motivation, decision-making, and sentiments, and the potential impact on open-source software supply chain security. Therefore, we conduct 20 semi-structured interviews with a diverse set of experienced contributors to critical open-source software projects.Overall, we find that contributors have a generally high affinity for security. However, security practices are rarely discussed in the community or enforced by projects. Furthermore, we see a strong influence of social mechanisms, such as trust, respect, or politeness, further impeding the sharing of security knowledge and best practices.We conclude our work with a discussion of the impact of our findings on open-source software and supply chain security, and make recommendations for the open-source software community.

UR - http://www.scopus.com/inward/record.url?scp=85200366724&partnerID=8YFLogxK

U2 - 10.1109/SP54263.2024.00214

DO - 10.1109/SP54263.2024.00214

M3 - Conference contribution

AN - SCOPUS:85200366724

SN - 979-8-3503-3131-8

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1065

EP - 1082

BT - Proceedings - 45th IEEE Symposium on Security and Privacy, SP 2024

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 20 May 2024 through 23 May 2024

ER -