Understanding Trust and Security Processes in the Open Source Software Ecosystem

Dominik Wermke, CISPA Helmholtz Center for Information Security

Open source software has an important role in our everyday-lives: as foundation, glue, or tooling, open source constitutes many important links in the software supply chain. But the openness of this ecosystem brings unique (security) challenges, including code submissions from unknown entities, limited developer-hours & tooling to review commits or dependencies, and the necessity to vet included open source components. Through the results from interview studies with contributors of open source projects, companies that use open source components, maintainers that distribute their packages on open source packages repos, as well as developers that create reproducible software, we examined the security and trust processes and considerations in the open source supply chain, especially those that are not directly visible on a data level and can only be understood through engagement with the open source community.

During this talk, I will introduce the different aspects and challenges of security and trust in the open source ecosystem to a wider audience, highlight interviews as a collaborative, less harmful approach for open source research that positively engages with the community and creates excitement for academic research, and share practical advice on how to improve security in the software supply chain by enabling stakeholders such as maintainers and contributors.

View the full Enigma 2023 program at https://www.usenix.org/conference/eni...