PackagingCon

HELLO WORLD: A Survey of Trust-Based Code Reuse
2021-11-09 , Room 3

Open source software communities rely heavily on user trust. However, typosquatting, watering hole attacks, and developer infrastructure exploits can easily undermine the same honor system that enables easy software package reuse. To better understand trust-based code reuse within language-based ecosystems like npm and Python Package Index (PyPI), IQT Labs recently surveyed 150 software engineers, data scientists, and web developers. Despite high levels of educational attainment, the majority of survey takers agreed with the statement “I wish I knew more about security vulnerabilities associated with code reuse.” When asked who is responsible for keeping code safe, more than half of respondents indicated security is a responsibility individual developers share with package registries. However, this diffusion of responsibility and assumption that package registries have adequate resources to address today's shared code vulnerabilities can lead to developer complacency, particularly since many participants admitted they “do not engage in pre-install code vetting.” In addition to discussing the value of more training, clearer policies, and more robust organizational support, this talk explores the importance of package manager usability.


As Senior Technologist at IQT Labs, George P. Sieniawski leads research, prototyping, and digital ethnography projects in a wide range of settings. These incl. a multi-year, pre-COVID-19 collaboration with the CDC/NCIRD focused on visualizing uncertainty within infectious disease forecast data. A more recent six-month effort, called PCAPviz, involved developing and delivering new network traffic exploration capabilities to security administrators.

John Speed Meyers is an engineer in IQT Labs. His R&D work focuses on open source software, especially productivity benefits, security risks, and analysis of open source software ecosystems.