Developers' Experiences on Code Secret Management - Interviews

Looking for Interview Partners

Do you develop software or contribute to projects using version control systems and platforms, like git and GitHub? Have you experienced code secret leakage in the past?

Handling various secret information within a project can be challenging. We would love to interview you about your experiences developing software, especially about dealing with secrets/confidential information within your projects and their source code (e.g., API keys or CI/CD keys).

We are a group of security & privacy researchers from the German CISPA Helmholtz-Center for Information Security and the Leibniz University Hannover with collaborations to various other institutions. We are looking for interview partners with experience in developing software using version control systems and source code repositories like GitHub or GitLab.

The interview would:

  • Be fully pseudonymized for you and the projects, at most, short anonymized quotes from the interview might be published.
  • Take about 45 minutes of your valuable time.
  • Be on any audio/video platform of your choice (our self-hosted Jitsi, BigBlueButton,… ), camera optional. (We recommand BigBlueButton, hosted by GWDG)

Participate: Please fill out our pre-survey. After finishing our pre-survey you will be able to schedule an interview appointment with us.

Please contact us if you have any questions: alexander.krause@cispa.de

Context #

Within this study, we are interested in code secret management approaches that developers apply. This includes, for example, sharing secret in a software team or preventing code secret leakage in open source code repositories like GitHub. Previous work by Krause et al. [1] revealed that about 30% of developers have experienced code secret leakage. We aim to better understand the root causes, challenges that developers face, and overall try to explore approaches for both prevention and remediation of secret leaks.

[1] Poster: Committed by Accident – Prevention and Remediation Strategies Against Secret Leakage

Data Handling #

For the analysis of the interviews we would like to use transcripts. For this we need to collect the following data:

  • A recording of your interview that will be destroyed after transcription (a few days after the interview is processed).
  • A fully disidentified (your & project information) transcript of the interview, which will be destroyed after our research is complete (likely a few months after the interview).

The interview and data processing has been approved by our German equivalent of an IRB:

  • The data collected will be fully disidentified whenever necessary.
  • Throughout the research, access to the data is limited to a few trained researchers only.
  • All data collected will be handled in accordance with strict GDPR/DSGVO regulations.
  • All data will be destroyed upon completion of our research.

Our full consent disclosure is as follows:

  • Participation: Your participation is of course entirely voluntary. You may skip any questions you don’t want to answer, abort the interview at any time for any reason, or cancel the interview appointment.
  • Data Collection: We would like to record the interviews’s audio (and video optionally) for later transcription by a GDPR compliant transcription service. After we disidentify transcripts and check them for accuracy, all recordings will be discarded.
  • Risks: The risks to your participation in this online interview study are those associated with basic computer tasks, including boredom, fatigue, mild stress, or breach of confidentiality.
  • Benefits: Benefits of participating in the interview are the learning experience from participating in a research study, and the contribution to the state of scientific knowledge.

Who we are #

Our group studies the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.

You can find some of our recent publications here.

Researchers

Alexander Krause | Project Lead
Researcher (CISPA).
Yasemin Acar | Principal Investigator
Tenure Track Assistant Professor (George Washington University).
Sascha Fahl | Principal Investigator
Tenured Faculty (CISPA) and Full Professor (Leibniz University Hannover).

Institutions

CISPA Helmholtz-Center for Information Security
German national Big Science Institution within the Helmholtz Association.
George Washington University
University, Washington DC, USA.