This study is concluded.
- The study has been published at USENIX Security (publication).
- We also presented this at VulnCon 2025 (talk).
- Publication website
We want to thank all participants, it was a great experience to interview you. We appreciate you sharing your knowledge, experience, expertise, and most importantly your valuable time that you have generously given.
We hope that with this work and your contribution, both the research and open source community are one step closer to more secure and trustworthy software.
We conducted 20 interviews with developers to investigate their processes and challenges around using SCA in their software projects. Interviews covered how SCA tools are integrated into workflows, how reports are interpreted and acted upon, and what challenges were encountered.
We find that SCA tools are most often integrated into build pipelines and that users report that information in SCA alerts is too generic and lack context, specifically context on infrastructure, network configurations, reachability, and exploitability. Based on our findings we conclude that context matters throughout the SCA process, including for evaluating impact, when to trigger SCA scan runners, and how to integrate and communicate tool findings.
Researchers
| Elizabeth Lin | PhD Student (North Carolina State University) |
| Sparsha Gowda | Master Student (North Carolina State University) |
| Dominik Wermke | Assistant Professor (North Carolina State University) |
| William Enck | Full Professor (North Carolina State University) |