Interview Study on the Trust in the Software Supply Chain Security

Have you ever adopted a code dependency, such as a package from Maven, PyPI, or npm? Or maybe you have managed builds before, like using GitHub actions or CI/CD pipelines? If you answer yes, you have participated in the Software Supply Chain (SSC), and we would love to interview you to see whether things are getting better or worse in SSC security.

We are researchers from the Secure Software Supply Chain Center (S3C2), a multi-institutional research initiative focused on securing the modern software supply chain. We are currently conducting a one-hour interview study to understand how trust in software supply chain security has changed, and we would love you to participate!

Interview Participation

We are looking for professional software practitioners with experience in using/making decisions on their software supply chain, both in open-source and industry projects. We are interested in your practices for managing the SSC, how they have changed over the years, and your opinions on the state of SSC security. The interview will take no longer than 60 minutes, including a $50 compensation (Amazon gift card).

Book an interview with us or email anytime with questions, we’d love to hear from you!

• Booking link: Google Calendar
• Email Contact: Ranindya “Nanin” Paramitha [email protected]

The interview would be

• Data usage: Fully anonymous, at most, short anonymized quotes from the interview may be published.
• Estimated time: About 60 minutes of your valuable time.
• Scheduling an interview: Flexible scheduling, reach out to us via email if you have any questions!

About this Study

The goal of this study is to investigate and understand developers’ trust in software supply chain security and how that trust changes, using a qualitative study with developers.

Motivation

There are many SSC attacks, like SolarWind, XZ Utils, and Log4J, but there are also measures taken to address them. With all of those happening, how is developers’ trust in the SSC? Little is known about the current state of developers’ trust in the SSC security. The vague definition of the word “trust” makes it even more challenging to measure. Understanding developers’ trust would give insights to researchers on how developers perceive the current software supply chain security state and how it has changed over the years.

Research Questions

We aim to answer the following research questions:

1. Do developers trust the SSC, and do their practices support their perception?
2. Does trust change at a certain point in time?
   • What factors caused the changes?

Some sample interview questions:

• Can you walk me through the steps you did before adopting a package?
• How do you do and manage the builds in your project? Can you walk me through those steps?
• How do you consider the people behind packages?
• How do you assign a maintainer for your project?

Data Handling

We value and appreciate your contribution and are committed to maintaining your privacy and confidentiality. To protect your confidentiality and privacy :

• Interview recordings will be destroyed after transcription verification.
• Anonymized transcripts will be destroyed after project completion.
• We will only use short quotes from the interviews in our publication with your approval, and will make sure that you cannot be identified from our reporting.
• Only the small research team will access the data, under an approved IRB process.

Researchers

• Ranindya “Nanin” Paramitha: Postdoctoral Research Scholar (North Carolina State University)
• Siri Paidipalli: Master Student (North Carolina State University)
• Christian Kästner: Associate Professor (Carnegie Mellon University) – will not manage the data
• Laurie Williams: Full Professor (North Carolina State University)