Nowadays, open source software is well-established and ever-present, and has long found its way into various commercial tools. Due to this, anything that removes or (maliciously) modifies these projects can have a vast and often disastrous impact on the digital world, which has been illustrated by various recent incidents. This includes not only developer choices such as protestware, but also supply-chain-attacks.
Furthermore, open source projects are highly dependent on the security choices of motivated individuals. Other than companies, who have developers under contract and provide security and safety policies, open source projects need to create and maintain policies themselves, or trust their contributors. However, this can majorly influence the security of the overall project.
In this interview study, we conducted 20 semi-structured interviews with active contributors to popular or critical open-source repositories. During our interviews, we inquired about their personal security measures regarding open source projects, including account security, physical security of devices, and data handling.
We find that while our partiicpants generally show a high security-affinity, their individual measures are typically self-motivated and rarely encouraged or forced by open source projects. Overall, security is only rarely discussed and seen as the individuals' responsibility and common sense. Furthermore, we find a strong influence of social mechanisms, such as trust, respect, or politeness, which furter impedes how security is discussed and handled.
Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors Sabrina Amft, Sandra Höltervennhoff, Rebecca Panskus, Karola Marky and Sascha Fahl.
In 45th IEEE Symposium on Security and Privacy(IEEE S&P 2024), May 20-23, 2024.
To increase open-source software supply chain security, protecting the development environment of contributors against attacks is crucial. For example, contributors must protect authentication credentials for software repositories, code-signing keys, and their systems from malware.
Previous incidents illustrated that open-source contributors struggle with protecting their development environment. In contrast to companies, open-source software projects cannot easily enforce security guidelines for development environments. Instead, contributors’ security setups are likely heterogeneous regarding chosen technologies and strategies.
To the best of our knowledge, we perform the first indepth qualitative investigation of the security of open-source software contributors’ individual security setups, their motivation, decision-making, and sentiments, and the potential impact on open-source software supply chain security. Therefore,
we conduct 20 semi-structured interviews with a diverse set of experienced contributors to critical open-source software projects.
Overall, we find that contributors have a generally high affinity for security. However, security practices are rarely discussed in the community or enforced by projects. Furthermore, we see a strong influence of social mechanisms, such as trust, respect, or politeness, further impeding the sharing of security knowledge and best practices.
We conclude our work with a discussion of the impact of our findings on open-source software and supply chain security, and make recommendations for the open-source software community.
In line with the effort to support replication of our work and help other researchers build upon it, we provide a replication package and an artifact repository.
Please find all files published via the Open Science Foundation, including our final codebook, interview guide, and all communication such as the consent form, pre-survey, or study invitation email.
We want to thank all of our participants for trusting us with their experiences and insights, thereby enabling us to do this research. We are grateful to the reviewers for their valuable feedback. We thank our lab students Stina Schäfer, Anne Vonderheide, Kateryna Nosik and Lukas Niehus for their early text drafts during our lecture. Additionally, we thank Nicolas Huaman, Niklas Busch, and Juliane Schmüser for aiding our work as backup interviewers and proofreaders. This research was funded by the VolkswagenStiftung Niedersächsisches Vorab – ZN3695 and by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy — EXC 2092 CASA – 390781972
@inproceedings{conf/oakland/amft24,
author = {Sabrina Amft and
Sandra Höltervennhoff and
Rebecca Panskus and
Karola Marky and
Sascha Fahl},
title = {Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors},
booktitle = {In 45th IEEE Symposium on Security and Privacy, IEEE S&P 2024, May 20-23, 2024},
month = {May},
publisher = {IEEE Computer Society},
url = {https://www.ieee-security.org/TC/SP2024/accepted-papers.html},
year = {2024}
}
Amft et al. Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors. In 45th IEEE Symposium on Security and Privacy. 2024.
Amft, S., Höltervennhoff, S., Panskus, R., Marky, K., & Fahl, S. (2024, May). Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors. In 45th IEEE Symposium on Security and Privacy.
%0 Conference Proceedings
%T Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors
%A Amft, Sabrina
%A Höltervennhoff, Sandra
%A Panskus, Rebecca
%A Marky, Karola
%A Fahl, Sascha
%B In 45th IEEE Symposium on Security and Privacy
%D 2024
TY - CONF
T1 - Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors
A1 - Amft, Sabrina
A1 - Höltervennhoff, Sandra
A1 - Panskus, Rebecca
A1 - Marky, Karola
A1 - Fahl, Sascha
JO - In 45th IEEE Symposium on Security and Privacy
Y1 - 2024
ER -
We are a research team from the state-funded CISPA Helmholtz Center for Information Security in Germany. Our group studies the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.
