Best Practices in Security Software: Key Quotes

# Best Practices in Security Software: Key Quotes ###### tags: `Current bc-interns Projects` ## Introduction "improving security and trust in the open source ecosystem leads to positive effects down the whole dependency chain for both open source and commercial software." "As to err is only human, we consider contributors as trustworthy if they do not act with malicious intent, not necessarily that they contribute error-free code." ([pg. 2](https:https://csdl-downloads.ieeecomputer.org/proceedings/sp/2022/1316/00/131600b572.pdf?Expires=1653409728&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9jc2RsLWRvd25sb2Fkcy5pZWVlY29tcHV0ZXIub3JnL3Byb2NlZWRpbmdzL3NwLzIwMjIvMTMxNi8wMC8xMzE2MDBiNTcyLnBkZiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTY1MzQwOTcyOH19fV19&Signature=mH5cAuZzEJznsH7XkXAtlB04H-8-lB2APWTEn6VVbNVWFiF4j87jAQWMZsRuWy~XLVYoJCg66iGb2m3uuz8AGPKeqMfiPuonTEGuWAsXyoZMqe9zNofio9s7rHMw0EOnAK2ZrJF7Rz13iNATBesmI7uD2v-OxD~K8BBUPBj2plY4RNx-roG1ACUeR25Ms-IWNwf-dBzaR~cOl0jeblsKjE9MwvDVJ6gltlpilZacqXJwjsmYnx4reTGkAqGomnA57YDD36d3658AOu2NCxD55ExjJ1NPSy~928eynieBxQdD-75L5KUhOP9BZpsduyoe8tJ-3mAcZ1593SGvoBxGGA__&Key-Pair-Id=K12PMWTCQBDMDT//)) ## Methodology ## Results & Discussion #### *Study Demographics: Highly experienced in open source technology "important decisions such as release windows, announcements, and distribution infrastructure are all based on the input, feedback, and needs of contributors and users. *Most projects appear to handle security and trust incidents “as they happen”.* This seems to be a pragmatic strategy, as it seems unlikely that a project could cover all possible incident types beforehand, especially with the limited personpower of smaller communities." "'the combination of deep dependency chains and automatic testing can lead to many false positive security warnings.'" ([pg. 13](https:https://csdl-downloads.ieeecomputer.org/proceedings/sp/2022/1316/00/131600b572.pdf?Expires=1653409728&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9jc2RsLWRvd25sb2Fkcy5pZWVlY29tcHV0ZXIub3JnL3Byb2NlZWRpbmdzL3NwLzIwMjIvMTMxNi8wMC8xMzE2MDBiNTcyLnBkZiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTY1MzQwOTcyOH19fV19&Signature=mH5cAuZzEJznsH7XkXAtlB04H-8-lB2APWTEn6VVbNVWFiF4j87jAQWMZsRuWy~XLVYoJCg66iGb2m3uuz8AGPKeqMfiPuonTEGuWAsXyoZMqe9zNofio9s7rHMw0EOnAK2ZrJF7Rz13iNATBesmI7uD2v-OxD~K8BBUPBj2plY4RNx-roG1ACUeR25Ms-IWNwf-dBzaR~cOl0jeblsKjE9MwvDVJ6gltlpilZacqXJwjsmYnx4reTGkAqGomnA57YDD36d3658AOu2NCxD55ExjJ1NPSy~928eynieBxQdD-75L5KUhOP9BZpsduyoe8tJ-3mAcZ1593SGvoBxGGA__&Key-Pair-Id=K12PMWTCQBDMDT//)) ## Conclusion "Elaborate incident playbooks and committer structures are likely of little use to these projects due to frequently changing committers and structures. We surmise that especially these smaller projects could be better supported with public, general example playbooks and resources for incidents that they then can utilize when the need arises." "Overall, we argue for supporting open source projects in ways that better consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources." ([pg. 13](https:https://csdl-downloads.ieeecomputer.org/proceedings/sp/2022/1316/00/131600b572.pdf?Expires=1653409728&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9jc2RsLWRvd25sb2Fkcy5pZWVlY29tcHV0ZXIub3JnL3Byb2NlZWRpbmdzL3NwLzIwMjIvMTMxNi8wMC8xMzE2MDBiNTcyLnBkZiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTY1MzQwOTcyOH19fV19&Signature=mH5cAuZzEJznsH7XkXAtlB04H-8-lB2APWTEn6VVbNVWFiF4j87jAQWMZsRuWy~XLVYoJCg66iGb2m3uuz8AGPKeqMfiPuonTEGuWAsXyoZMqe9zNofio9s7rHMw0EOnAK2ZrJF7Rz13iNATBesmI7uD2v-OxD~K8BBUPBj2plY4RNx-roG1ACUeR25Ms-IWNwf-dBzaR~cOl0jeblsKjE9MwvDVJ6gltlpilZacqXJwjsmYnx4reTGkAqGomnA57YDD36d3658AOu2NCxD55ExjJ1NPSy~928eynieBxQdD-75L5KUhOP9BZpsduyoe8tJ-3mAcZ1593SGvoBxGGA__&Key-Pair-Id=K12PMWTCQBDMDT//))