An Empirical Study of Security Culture in Open Source Software Communities

Open source software (OSS) is a core part of virtually all software applications today. Due to the rapidly growing impact of OSS on society and the economy, the security aspect has attracted researchers' attention to investigate this distinctive phenomenon. Traditionally, research on OSS security has often focused on technical aspects of software development. We argue that these aspects are important, however, technical security practice considering different social aspects of OSS development will assure the effectiveness and efficiency of the implementation of the tool. To mitigate this research gap, in this empirical study, we explore the current security culture in the OSS development phenomenon using a survey instrument with six evaluation dimensions: attitude, behavior, competency, subjective norms, governance, and communication. By exploring the current security culture in OSS communities, we can start to understand the influence of security on participants' security behaviors and decision-making, so that we can make realistic and practical suggestions. In this paper, we present the measurements of security culture adopted in the study and discuss corresponding security issues that need to be addressed in OSS communities.