The recent discovery of a backdoor in xz Utils, a widely used open source data compression library, has highlighted the critical need for improving security measures in open source software (OSS). This incident, along with other supply chain attacks such as SolarWinds, evidences the risks of vulnerabilities present in OSS, which constitutes a significant portion of the global digital infrastructure. Despite efforts to establish comprehensive security frameworks like NIST's SSDF, OWASP's SCVS, and SLSA, challenges persist because current security tools often fail to address the specific needs of diverse projects, and existing security metrics do not provide a representative view of a project's actual security state.

This proposal addresses the challenge of measuring and enhancing security in scientific open source projects by examining the adoption and applicability of security metrics and tools. We propose a study divided into three tasks. In the first task, we will investigate the unique security challenges in scientific software by examining pain points and needs through surveys of open source software developers. In the second task, we will develop tailored security metrics and practices for specific project groups in order to get an empirical measurement of the security posture of open source projects. In the third task, we will leverage large language models to improve the security of scientific open source software.

Our final goal is to improve the security of scientific open source software and, hence, improve the security of systems that rely on these critical tools.

Event Host: Juanita Gomez, Ph.D. Student, Computer Science & Engineering

Advisor: Alvaro Cardenas