Supply Chain Interviews
Does your company use open source components in software projects? We would love to interview you about the projects and your experiences!

What: We are looking for interview partners from industry and related areas to gain deeper insights into the use of open source components (More ).

Who: We are a group of cyber security & privacy researchers from the George Washington University and the German CISPA Helmholtz-Center for Information Security (More ).

Why: As part of the supply chain, a single compromised open source component threatens the whole software stack. We are interested in how industry stakeholders deal with these challenges and how we can better support them. (More )

How: Transcribed, anonymous voice interview (More ), the interview would be:

  • Fully anonymous for you, the company, and the projects. We will remove all references or identifying information.
  • At most, we plan on publishing short anonymized quotes from the interview. You will get a chance to update or veto any quotes before a publication.
  • On any voice platform of your choice (Our self-hosted Jitsi instance, Zoom, Webex, BBB, …), no camera required.
Participate
You can directly book a timeslot for the interview via our Calendly event or write us an email for a more convenient time slot.
(The 1 hour timeslot is with time to spare, median interview time so far was around 35 minutes)

About #

Whether as low-level system drivers in operating systems, as tooling in our daily jobs, or simply as dependencies of our hobby projects, open source software is an important building block of our everyday lives.

Motivation #

Open source software is often itself part of an even larger chain: the supply chain of included packages. These packages are often included from package repositories and present a wide attack surface.

Just one compromised package threatens all users of the open source component it was included in.

“To what extent should one trust a statement that a program is free of Trojan horses. Perhaps it is more important to trust the people who wrote the software." – Ken Thompson in “Reflections on Trusting Trust”.1

Previous Publication #

In a previous publication, we conducted interviews with open source maintainers and committers to better understand the security and privacy processes that happen behind-the-scenes in open source projects.


First page of the preprint
Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects
Dominik Wermke, Noah Wöhler, Jan H. Klemmer, Marcel Fourné, Yasemin Acar and Sascha Fahl.
43rd IEEE Symposium on Security and Privacy (S&P'22), May 22-26, 2022.

While this publication focused on the “beginning” of the open source supply chain, we are now interested in how the “consumers” of these open source components approach supply chain challenges.

Overall, we aim to better support open source stakeholders with trust and security considerations — by investigating both public and internal security measures and trust processes within a diverse set of projects.

Interview #

Do you work on projects with open source components? We would like to invite you to an interview via an audio call on a platform of your choice (e.g., Zoom, Skype, our self-hosted Jitsi, …).

We are interested in your personal experiences and opinions, as well as the security & trust processes in the projects. We are not judging deployed security measures of the project, we are just interested in the underlying structures and considerations.

Example Questions #

The interview is set up in a semi-structured approach: each section opens with a somewhat general question on which you can elaborate to your liking and knowledge, after which we might ask some additional follow-up questions.

Some examples for questions:

  • S1Q1 Project: Can you tell us a bit about the project(s) you are involved in?
  • S2Q1 Components: Are you aware of any open source components included in your project?
  • S2Q3 Supply Chain: How are those external components pulled/included into the build process?
  • S3Q3 Documentation: Does your project provide guides/best practices/hints for including external code (e.g., open source components)?
  • S4Q2 Updating: How are you keeping open source components up to date?

Data Handling #

We would like to analyze the interviews based on transcripts. For this, we need to collect the following data:

  • A recording of the interview, which will be destroyed after we verified the transcription (likely a few days after the interview).
  • A fully anonymized and de-identified (your & project information) transcript of the interview, destroyed after completion of our research (likely a few months after the interview).

The interview & data handling process was approved by our IRB:

  • Collected data is fully anonymized and de-identified if possible.
  • During all research, data access is restricted to a small number of trained researchers.
  • In addition, all collected data is handled according to strict GDPR/DSGVO regulations.
  • All data will be destroyed after completion of our research.

Our full consent disclosure is as follows:

  • Participation: Your participation is of course entirely voluntary. You may skip any questions you don’t want to answer, abort the interview at any time for any reason, or cancel the interview appointment.
  • Data Collection: We would like to record the call’s audio for later transcription by a GDPR/DSGVO compliant transcription service. After we de-identify as well as pseudonymize transcripts and check them for accuracy, all recordings will be discarded.
  • Sensitive Questions: We are mostly interested in open source components and selection criteria in the project. You can skip any question at any time.
  • Risks: The risks to your participation in this online interview study are those associated with basic computer tasks, including boredom, fatigue, mild stress, or breach of confidentiality.
  • Benefits Benefits of participating in the interview are the learning experience from participating in a research study, and the contribution to the state of scientific knowledge.

Who we are #

We are a group of security & privacy researchers from George Washington University and the CISPA Helmholtz-Center for Information Security.

Our research focuses on end users, administrators, developers and designers of computer systems and their interdependencies with computer security and privacy mechanisms. You can find some of our recent publications on our institute page, as well as on our personal websites.

The involved main researchers are listed below, additional team members are listed on our institutes' pages [1, 2].

Main Researchers

Dominik Wermke
Visiting Researcher (George Washington University) and Researcher (CISPA).
Yasemin Acar | Principal Investigator
Tenure Track Assistant Professor (George Washington University).
Sascha Fahl
Tenured Faculty (CISPA) and Full Professor (Leibniz University Hannover).

Involved Institutions

George Washington University
University, Washington DC, USA.
CISPA Helmholtz-Center for Information Security
German national Big Science Institution within the Helmholtz Association.

  1. Ken Thompson: Reflections on Trusting Trust. PDF ↩︎