Skipping the Security Side Quests: A Qualitative Study on Security Practices and Challenges in Game Development

Open source components are ubiquitous in companies' setups, processes, and software. Utilizing these external components as building blocks enables companies to leverage the benefits of open source software, allowing them to focus their efforts on features and faster delivery instead of writing their own components. But by introducing these components into their software stack, companies inherit unique security challenges and attack surfaces: including code from potentially unvetted contributors and obligations to assess and mitigate the impact of vulnerabilities in external components. In 25 in-depth, semi-structured interviews with software developers, architects, and engineers from industry projects, we investigate their projects' processes, decisions, and considerations in the context of external open source code. We find that open source components play an important role in many of our participants' projects, that most projects have some form of company policy or at least best practice for including external code, and that many developers wish for more developer-hours, dedicated teams, or tools to better audit included components. Based on our findings, we discuss implications for company stakeholders and the open source software ecosystem. Overall, we appeal to companies to not treat the open source ecosystem as a free (software) supply chain and instead to contribute towards the health and security of the overall software ecosystem they benefit from and are part of. architects, and engineers from a diverse sample of industry projects and companies, to investigate the importance of OSCs in companies' software stacks, as well as related security challenges and considerations, guided by the following research questions: RQ1. "How are Open Source Components included in companies' tech stacks in terms of position, importance, and security effects?" OSCs hold an important role in many companies' software stacks. We are interested in the specific roles of these components in the software stack, as well as if and how these components are considered in the update and security processes of the projects. RQ2. "What are companies' awareness, experiences, and attitudes regarding the security of including external open source code?" Including external OSCs in industry projects introduces unique security challenges and attack vectors such as code contributions from unvetted sources. We are interested in companies' awareness surrounding the security of including external open source code, as well as their experiences with, and past challenges of, including external code in the context of security and updates. We are also interested in the companies' attitudes about including, managing, and contributing back to open source projects. RQ3. "If and how do stakeholders make decisions and considerations around security and trust challenges of including Open Source Components?" The major impact of security challenges in OSCs justifies specific considerations. We are interested in measures that companies utilize to decide on including OSCs, what decisions and considerations they have in place for the external code, and which improvements and changes stakeholders consider. This work is structured as follows: After this general introduction (Section 1), we discuss related work in the areas of dependency analyses and selection, security research with software developers, and interview studies in a security context (Section 2). We then describe our interview approach (Section 3) and highlight our findings (Section 4). Finally, we discuss our findings (Section 5) and draw a conclusion (Section 6). Replication Package In line with the effort to support replication of our work and help other researchers build upon it, this publication has a companion website with a full replication package and an artifact repository available. 1 Related Work In this section, we present and discuss related work in three areas: research investigating dependencies and the selection thereof, security research involving software developers and similar stakeholders, as well as interview studies with a focus on security. We also put our work into context and illustrate the novel contributions of our research. 1. https://publications.teamusec.de/2023-oakland-oss-consumers/ Interview Structure We report on the structure of the semi-structured interviews below and in Figure 1 . The interviews were structured in six main sections consisting of one to four opening questions, corresponding follow-up questions, and sometimes