Do you use software composition analysis tools? We would love to interview you about your projects and experience!

We are researchers from the Wolfpack Security and Privacy Research Lab at North Carolina State University interested in how software composition analysis tools are used. We are also part of the Secure Software Supply Chain Center, a multi-institution research enterprise with the goal of securing the software supply chain.

The interview would be

  • fully anonymous, at most, short anonymized quotes from the interview would be published.
  • estimated to take ~45 min of your valuable time.

Schedule an interview with us or reach out through email if you have any questions!

About this study

In this study, we are looking for participants in an interview-based approach to investigate the use of SCA (software composition analysis) tools. The study aims to uncover how the tools play a part in security workflows and how users make decisions based on tool output. From the interviews, we hope to gather insights into SCA tools and software supply chain security.

Motivation

SCA tools determine the software components included in your application and if vulnerabilities exist in the components. A common challenge with SCA tool users are the large amount of alerts returned by the tool, overwhelming users. Previous research has also shown differences in SCA tool output. However, there lacks a study of understanding SCA tools from the user perspective.

Interview participation

We are looking for people who have experience with SCA tools or are part of an organization that uses SCA tools. We are interested in your experiences, opinions, and challenges encountered with SCA tools.

The interview would take no longer than 60 minutes and includes a compensation of $60.

Research Questions

We aim to answer the following research questions:

  1. How do users interact with SCA tools?
  2. How are SCA alerts prioritized?
  3. How can SCA tools be improved?

Some sample questions include:

  1. What kind of projects integrate SCA tools?
  2. How is the SCA tool integrated into the SDLC?
  3. How are warnings or alerts from the SCA tool resolved?
  4. What are existing SCA tool features you think have been useful?

Data Handling

We value and appreciate your contribution in our study and are committed to maintaining your privacy and confidentiality of all data you provide. We will only use short quotes from the interviews in our publication with your approval, and will make sure that you cannot be identified from our reporting.

We would like to analyze interview transcripts, for which we would collect the following data:

  • A recording of your interview, which would be destroyed after transcription (likely a few days after the interview)
  • A fully anonymized and de-identified transcript of the interview, which would be destroyed after completion of our research (likely a few months after the interview)

During the study, data access is restricted to a small number of trained researchers. All data will be handled according to the approved IRB process.

Researchers

Elizabeth Lin PhD Student (North Carolina State University)
Dominik Wermke Assistant Professor (North Carolina State University)
William Enck Full Professor (North Carolina State University)