Details
Original language | English |
---|---|
Title of host publication | 44th IEEE Symposium on Security and Privacy |
Subtitle of host publication | SP 2023 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 1545-1560 |
Number of pages | 16 |
ISBN (electronic) | 9781665493369 |
Publication status | Published - 2023 |
Event | 44th IEEE Symposium on Security and Privacy, SP 2023 - Hybrid, San Francisco, United States Duration: 22 May 2023 → 25 May 2023 |
Publication series
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Volume | 2023-May |
ISSN (Print) | 1081-6011 |
Abstract
Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components.In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.
Keywords
- developers, interviews, open-source, supply-chain, usable-security
ASJC Scopus subject areas
- Engineering(all)
- Safety, Risk, Reliability and Quality
- Computer Science(all)
- Software
- Computer Science(all)
- Computer Networks and Communications
Cite this
- Standard
- Harvard
- Apa
- Vancouver
- BibTeX
- RIS
44th IEEE Symposium on Security and Privacy: SP 2023. Institute of Electrical and Electronics Engineers Inc., 2023. p. 1545-1560 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2023-May).
Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review
}
TY - GEN
T1 - "Always Contribute Back"
T2 - 44th IEEE Symposium on Security and Privacy, SP 2023
AU - Wermke, Dominik
AU - Klemmer, Jan H.
AU - Wöhler, Noah
AU - Schmüser, Juliane
AU - Ramulu, Harshini Sri
AU - Acar, Yasemin
AU - Fahl, Sascha
N1 - Funding Information: This work is supported in part by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC 2092 CASA – 390781972, NSF grant CNS-2206865, and the Google Research Scholar program. Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies. We want to thank all interviewees for their participation and appreciate the industry-insider knowledge and valuable time that they have generously given. We also thank the anonymous reviewers for their valuable feedback.
PY - 2023
Y1 - 2023
N2 - Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components.In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.
AB - Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components.In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.
KW - developers
KW - interviews
KW - open-source
KW - supply-chain
KW - usable-security
UR - http://www.scopus.com/inward/record.url?scp=85166475408&partnerID=8YFLogxK
U2 - 10.1109/SP46215.2023.10179378
DO - 10.1109/SP46215.2023.10179378
M3 - Conference contribution
AN - SCOPUS:85166475408
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1545
EP - 1560
BT - 44th IEEE Symposium on Security and Privacy
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 22 May 2023 through 25 May 2023
ER -