Wermke, Dominik: Security considerations in the open source software ecosystem. Hannover : Gottfried Wilhelm Leibniz Universität, Diss., 2023, XIII, 214 S., DOI: https://doi.org/10.15488/13783
Abstract: | |
Open source software plays an important role in the software supply chain, allowing stakeholders toutilize open source components as building blocks in their software, tooling, and infrastructure. Butrelying on the open source ecosystem introduces unique challenges, both in terms of security and trust,as well as in terms of supply chain reliability.In this dissertation, I investigate approaches, considerations, and encountered challenges of stakeholders in the context of security, privacy, and trustworthiness of the open source software supplychain. Overall, my research aims to empower and support software experts with the knowledge andresources necessary to achieve a more secure and trustworthy open source software ecosystem. In thefirst part of this dissertation, I describe a research study investigating the security and trust practicesin open source projects by interviewing 27 owners, maintainers, and contributors from a diverse setof projects to explore their behind-the-scenes processes, guidance and policies, incident handling, andencountered challenges, finding that participants’ projects are highly diverse in terms of their deployedsecurity measures and trust processes, as well as their underlying motivations. More on the consumerside of the open source software supply chain, I investigated the use of open source components inindustry projects by interviewing 25 software developers, architects, and engineers to understand theirprojects’ processes, decisions, and considerations in the context of external open source code, findingthat open source components play an important role in many of the industry projects, and that mostprojects have some form of company policy or best practice for including external code. On the side ofend-user focused software, I present a study investigating the use of software obfuscation in Androidapplications, which is a recommended practice to protect against plagiarism and repackaging. Thestudy leveraged a multi-pronged approach including a large-scale measurement, a developer survey, anda programming experiment, finding that only 24.92% of apps are obfuscated by their developer, thatdevelopers do not fear theft of their own apps, and have difficulties obfuscating their own apps. Lastly,to involve end users themselves, I describe a survey with 200 users of cloud office suites to investigatetheir security and privacy perceptions and expectations, with findings suggesting that users are generallyaware of basic security implications, but lack technical knowledge for envisioning some threat models.The key findings of this dissertation include that open source projects have highly diverse securitymeasures, trust processes, and underlying motivations. That the projects’ security and trust needs arelikely best met in ways that consider their individual strengths, limitations, and project stage, especiallyfor smaller projects with limited access to resources. That open source components play an importantrole in industry projects, and that those projects often have some form of company policy or bestpractice for including external code, but developers wish for more resources to better audit includedcomponents.This dissertation emphasizes the importance of collaboration and shared responsibility in building and maintaining the open source software ecosystem, with developers, maintainers, end users,researchers, and other stakeholders alike ensuring that the ecosystem remains a secure, trustworthy, andhealthy resource for everyone to rely on. | |
License of this version: | CC BY 3.0 DE |
Document Type: | DoctoralThesis |
Publishing status: | publishedVersion |
Issue Date: | 2023 |
Appears in Collections: | Fakultät für Elektrotechnik und Informatik Dissertationen |
pos. | country | downloads | ||
---|---|---|---|---|
total | perc. | |||
1 | United States | 516 | 34.35% | |
2 | Germany | 211 | 14.05% | |
3 | No geo information available | 84 | 5.59% | |
4 | Russian Federation | 62 | 4.13% | |
5 | Indonesia | 43 | 2.86% | |
6 | India | 39 | 2.60% | |
7 | United Kingdom | 37 | 2.46% | |
8 | Canada | 32 | 2.13% | |
9 | China | 31 | 2.06% | |
10 | France | 28 | 1.86% | |
other countries | 419 | 27.90% |
Hinweis
Zur Erhebung der Downloadstatistiken kommen entsprechend dem „COUNTER Code of Practice for e-Resources“ international anerkannte Regeln und Normen zur Anwendung. COUNTER ist eine internationale Non-Profit-Organisation, in der Bibliotheksverbände, Datenbankanbieter und Verlage gemeinsam an Standards zur Erhebung, Speicherung und Verarbeitung von Nutzungsdaten elektronischer Ressourcen arbeiten, welche so Objektivität und Vergleichbarkeit gewährleisten sollen. Es werden hierbei ausschließlich Zugriffe auf die entsprechenden Volltexte ausgewertet, keine Aufrufe der Website an sich.