Does your development team plan ahead to secure your software from attacks? Have you encountered a dependency vulnerability, build system attack, or another software supply chain threat to your project? We would love to interview you about your experience!
We are researchers from the Wolfpack Security and Privacy Research Lab at North Carolina State University interested in how developers and practitioners encounter, mitigate, and plan for software supply chain threats. We are also part of the Secure Software Supply Chain Center, a multi-institution research initiative aimed at securing the modern software supply chain.
Interview Participation
We are looking for developers with experience handling and preparing for threats to their software, especially supply chain threats. We are interested in your practical experiences, opinions, and challenges related to securing your software. The interview will take no longer than 60 minutes and includes a compensation of $40.
What to Expect
- Data usage: Fully anonymous. At most, short anonymized quotes from the interview may be published.
- Estimated time: About 45–60 minutes of your valuable time.
- Scheduling an interview: Flexible scheduling. Weekends and evenings time slots available if needed.
- Book an interview with us through the Google Calendar or email us anytime if you have any questions!
- Sign-up Form
- Email Contact: Jess Moorefield
About This Study
This study investigates developers’ attitudes & perceptions of software supply chain threats and how they anticipate, prepare for, and mitigate these threats. Our goal is to better understand the spectrum of experiences, practices, and challenges that developers have faced.
Motivation
As the software development life cycle becomes increasingly complex with the integration of more and more tools, dependencies, and components, risks from those elements also rise. Vulnerabilities can be introduced from any link in the software supply chain (SSC), and given how far supply chain attacks can spread through targeting popular libraries or applications, such as the log4j and XZ Utils attacks, developers are very likely to encounter these threats and have to make decisions on how to prepare for them.
While previous work has documented the different forms of threats, there is a lack of research into developers’ personal knowledge of them. Through conducting interviews, we aim to learn how perspectives can vary with experience and the approaches different teams take to stay on top of software threats.
We aim to answer the following research questions:
- What SSC threats are developers aware/not aware of?
- How do developers anticipate, mitigate, and prioritize these threats?
- How do developers evaluate the effectiveness of their threat mitigations?
Some sample interview questions include:
- What types of software supply chain threats do you encounter the most?
- Do you have defenses/security measures against these threats?
- Do you face challenges while mitigating threats?
Data Handling
We value your contribution and are committed to protecting your privacy and confidentiality. We take measures to secure the data we collect: Interview recordings will be destroyed after transcription. Anonymized transcripts will be destroyed after project completion (likely within a few months). We will only use short quotes from the interviews in our publication with your approval, and we will make sure that you cannot be identified from our reporting. Only the research team will access the data, under an approved IRB process.