cispa_all_3932.pdf (214.62 kB)

"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain

Download (214.62 kB)
conference contribution
posted on 2023-11-29, 18:24 authored by dominik.wermke, Jan H. Klemmer, Noah Wöhler, Juliane SchmüserJuliane Schmüser, Yasemin Acar Harshini Sri Ramulu, Sascha FahlSascha Fahl
Open source components are ubiquitous in companies’ setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors, as well as the obligation to assess and mitigate the impact of vulnerabilities in external components. In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects’ processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants’ projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of.


Preferred Citation

Dominik Wermke, Jan Klemmer, Noah Wöhler, Juliane Schmüser, Sri Harshini and Sascha Fahl. "Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain. In: IEEE Symposium on Security and Privacy (S&P). 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date


Open Access Type

  • Green


@inproceedings{cispa_all_3932, title = ""Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain", author = "Wermke, Dominik and Klemmer, Jan H. and Wöhler, Noah and Schmüser, Juliane and Harshini Sri Ramulu, Yasemin Acar and Fahl, Sascha", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2023", }

Usage metrics


    No categories selected


    Ref. manager