Dominik Wermke, CISPA Helmholtz Center for Information Security
Open source software has an important role in our everyday-lives: as foundation, glue, or tooling, open source constitutes many important links in the software supply chain. But the openness of this ecosystem brings unique (security) challenges, including code submissions from unknown entities, limited developer-hours & tooling to review commits or dependencies, and the necessity to vet included open source components. Through the results from interview studies with contributors of open source projects, companies that use open source components, maintainers that distribute their packages on open source packages repos, as well as developers that create reproducible software, we examined the security and trust processes and considerations in the open source supply chain, especially those that are not directly visible on a data level and can only be understood through engagement with the open source community.
During this talk, I will introduce the different aspects and challenges of security and trust in the open source ecosystem to a wider audience, highlight interviews as a collaborative, less harmful approach for open source research that positively engages with the community and creates excitement for academic research, and share practical advice on how to improve security in the software supply chain by enabling stakeholders such as maintainers and contributors.
Dominik Wermke, CISPA Helmholtz Center for Information Security
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Dominik Wermke},
title = {Understanding Trust and Security Processes in the Open Source Software Ecosystem},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jan
}