Making software open has not been a given for a long time. Today, however, open source software has become the foundation of the modern world. But the principle of openness also poses security risks as the number of projects and contributors grows. A team of researchers from the Cluster of Excellence CASA "Cyber Security in the Age of Large-Scale Adversaries" at Ruhr-Universität Bochum (RUB) and the CISPA Helmholtz Center for Information Security investigated the processes as well as security and trust practices in open source projects. For this purpose, they conducted 27 in-depth structured interviews with contributors, maintainers and founders of smaller and larger projects.
The researchers presented their results at IEEE S&P. For their paper "Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects" Dominik Wermke and Noah Wöhler from CISPA, Jan H. Klemmer from CASA, Marcel Fourné from the Max Planck Institute for Security and Privacy (MPI-SP) and the two CASA Principal Investigators (PI) Yasemin Acar (George Washington University) and Sascha Fahl (CISPA and Leibniz University Hannover) received a Distinguished Paper Award at the conference.
Why is the concept of openness so successful?
Open source software is an integral part of IT industry; for example, nearly all web servers and many browsers are based on free components. "Anyone can see the program code, use it, change it or extend it," says Jan Klemmer, a CASA PhD student in the Empirical Information Security research group at Leibniz Universität Hannover, explaining the concept. So protecting one's own source code is often obsolete: Today, companies and institutions use the source code freely available in numerous open source projects. This can be compared to a library: The open source software is made publicly available as one module among many others and can be used by others for their own projects if required.
The development and writing of the source code is done collaboratively by software developers. Committers can propose program code they wrote for inclusion in a project and make them available to the community. Afterwards, so-called maintainers, who act like moderators in the open source projects, decide on the inclusion or changes in a software. However, this is not always without risk: "Accepting source code that you have not programmed yourself naturally saves time and develops the project further, but there is a possibility that security vulnerabilities will be incorporated into your own project, making it vulnerable to possible attacks," Klemmer points out.
Challenges for security and trust
In their study, the researchers discovered that only a few of the participants had ever experienced a security incident like this. For example, this could be the surreptitious and intentional introduction of bugs in the source code. They often reported suspicious commits, but these could be quickly identified due to obvious errors and low-quality - similar to spam emails. In this context, trust in new committers and the size of the project play an important role. "Especially in larger projects, you often only know the username, but don't know more about the person - often contributors are geographically dispersed and you only know each other virtually, if at all. In many projects, therefore, they are trusted based on their corresponding previous contributions and collaboration on the project," said Jan Klemmer.
About half of the respondents reported existing guidance and guidelines for contributing to their open source projects. The perception of the usefulness of such guidelines varied greatly: It ranged from very useful to few advantages with a high creation effort of corresponding documentation for other participants. Some of the study participants stated that they had no specific security guidelines. In addition, other projects had well-defined contact options for reporting vulnerabilities and corresponding processes for publishing security vulnerabilities.
Open source security gains in importance
Due to the strongly increased distribution of open source projects, their security and that of the entire software supply chain is steadily gaining in importance. Security incidents in the recent past, such as the Log4Shell vulnerability (CVE-2021-44228), also underscore this continuously. In order to further improve security in open source projects, it is therefore necessary to address the individual circumstances of the projects.
Original publication
Dominik Wermke, Noah Wöhler, Jan H. Klemmer, Marcel Fourné, Yasemin Acar, Sascha Fahl: Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects, IEEE Symposium on Security and Privacy, 2022, DOI: 10.1109/SP46214.2022.00143
Accompanying website to the publication
https://publications.teamusec.de/2022-oakland-sec-oss/
Press Contact:
Jan H. Klemmer
Leibniz University Hannover
Empirical Information Security Group
Phone: +49 511 762-14836
Email: klemmer(at)sec.uni-hannover.de
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.
Security in Openness
Copyright: RUB, Michael Schwettmann.
