Understanding Trust and Security Processes in the Open Source Software Ecosystem

Note: Presentation times are in Pacific Standard Time (PST).

Wednesday, January 25, 2023 - 3:10 pm3:40 pm

Dominik Wermke, CISPA Helmholtz Center for Information Security


Open source software has an important role in our everyday-lives: as foundation, glue, or tooling, open source constitutes many important links in the software supply chain. But the openness of this ecosystem brings unique (security) challenges, including code submissions from unknown entities, limited developer-hours & tooling to review commits or dependencies, and the necessity to vet included open source components. Through the results from interview studies with contributors of open source projects, companies that use open source components, maintainers that distribute their packages on open source packages repos, as well as developers that create reproducible software, we examined the security and trust processes and considerations in the open source supply chain, especially those that are not directly visible on a data level and can only be understood through engagement with the open source community.

During this talk, I will introduce the different aspects and challenges of security and trust in the open source ecosystem to a wider audience, highlight interviews as a collaborative, less harmful approach for open source research that positively engages with the community and creates excitement for academic research, and share practical advice on how to improve security in the software supply chain by enabling stakeholders such as maintainers and contributors.

Dominik Wermke, CISPA Helmholtz Center for Information Security

Dominik Wermke is a Usable Security & Privacy researcher at CISPA Helmholtz Center for Information Security, a Computer Science PhD student at the Leibniz University Hannover, and a visiting scholar at the GWUSEC lab at George Washington University. His research enables developers and administrators to deploy secure, privacy-respecting, and trust-worthy software that benefits the security of hundreds of dependent code bases, thousands of real-world deployments, and millions of end users. His research leverages this multiplicative effect by supporting open source maintainers, developers, and system administrators in the shared endeavor towards a more secure and trustworthy software ecosystem. His work has appeared in the top-tier security venues such as IEEE S&P, USENIX Security, and ACM CCS, as well as field-specific venues such as SOUPS and ACSAC.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {285629,
author = {Dominik Wermke},
title = {Understanding Trust and Security Processes in the Open Source Software Ecosystem},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jan,