Related papers: Why Johnny Signs with Sigstore: Examining Tooling as a Factor in Software Signing Adoption in the Sigstore Ecosystem

Why Johnny Signs with Sigstore: Examining Tooling as a Factor in Software Signing Adoption in the Sigstore Ecosystem

URL: http://arxiv.org/abs/2503.00271v2
Date: Tue, 04 Mar 2025 19:55:28 GMT
Title: Why Johnny Signs with Sigstore: Examining Tooling as a Factor in Software Signing Adoption in the Sigstore Ecosystem
Authors: Kelechi G. Kalu, Sofia Okorafor, Tanmay Singla, Santiago Torres-Arias, James C. Davis,
Abstract summary: We study the formative usability of Sigstore, a modern and widely adopted software signing tool.<n>We interviewed thirteen (13) experienced security practitioners to study the factors that influence the selection of a tool.
Score: 5.433194344896805
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: The software supply chain security problem arises from integrating software components from several sources. The integrity of these components is ensured by the use of provenance tools, of which software signing is the strongest guarantee. While software signing has been recommended by regulation and industry consortia, practical adoption of software signing has been generally limited. While tooling has been recognized as a key factor influencing software signing adoption and quality by previous studies, most research has focused primarily on its user interface aspects, with little research on other usability considerations like tool selection, user challenges, software engineering process integration intricacies, etc. To understand how software tools influence the practice and adoption of software signing, we study the formative usability of Sigstore, a modern and widely adopted software signing tool. We interviewed thirteen (13) experienced security practitioners to study the factors that influence the selection of a tool, the problems associated with the use of such tools, how practitioners' software signing tools have evolved, and what drives this migration. To summarize our findings: (1) We highlight the various factors practitioners consider before adopting a software signing tool; (2) We highlight the problems and advantages associated with the current tooling choices of practitioners; and (3) We describe the evolution of tooling adoption of our sample population. Our findings provide the software signing tool development community with valuable insights to improve their design of software signing tools.

Related papers

QualiTagger: Automating software quality detection in issue trackers [4.917423556150366]
This research uses cutting edge models like Transformers to identify what text is usually associated with different quality properties. We also study the distribution of such qualities in issue trackers from openly accessible software repositories.
arXiv Detail & Related papers (2025-04-15T10:40:40Z)
Sentiment Analysis Tools in Software Engineering: A Systematic Mapping Study [43.44042227196935]
We aim to help developers or stakeholders in their choice of sentiment analysis tools for their specific purpose.<n>Our results summarize insights from 106 papers with respect to (1) the application domain, (2) the purpose, (3) the used data sets, (4) the approaches for developing sentiment analysis tools, (5) the usage of already existing tools, and (6) the difficulties researchers face.
arXiv Detail & Related papers (2025-02-11T19:02:25Z)
The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z)
From Literature to Practice: Exploring Fairness Testing Tools for the Software Industry Adoption [5.901307724130718]
In today's world, we need to ensure that AI systems are fair and unbiased. Current fairness testing tools need significant improvements to better support software developers. New tools should be user-friendly, well-documented, and flexible enough to handle different kinds of data.
arXiv Detail & Related papers (2024-09-04T04:23:08Z)
An Industry Interview Study of Software Signing for Supply Chain Security [5.433194344896805]
We study the challenges that affect the effective implementation of software signing in practice.<n>We highlight the different challenges-technical, organizational, and human-that hamper software signing implementation.
arXiv Detail & Related papers (2024-06-12T13:30:53Z)
Efficacy of static analysis tools for software defect detection on open-source projects [0.0]
The study used popular analysis tools such as SonarQube, PMD, Checkstyle, and FindBugs to perform the comparison. The study results show that SonarQube performs considerably well than all other tools in terms of its defect detection.
arXiv Detail & Related papers (2024-05-20T19:05:32Z)
Charting a Path to Efficient Onboarding: The Role of Software Visualization [49.1574468325115]
The present study aims to explore the familiarity of managers, leaders, and developers with software visualization tools. This approach incorporated quantitative and qualitative analyses of data collected from practitioners using questionnaires and semi-structured interviews.
arXiv Detail & Related papers (2024-01-17T21:30:45Z)
Machine Learning Based Approach to Recommend MITRE ATT&CK Framework for Software Requirements and Design Specifications [0.0]
To develop secure software, software developers need to think like an attacker through mining software repositories. In this paper, we use machine learning algorithms to map requirements to the MITRE ATT&CK database.
arXiv Detail & Related papers (2023-02-10T22:15:45Z)
Lessons from Formally Verified Deployed Software Systems (Extended version) [65.69802414600832]
This article examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that the software industry should draw regarding its ability to benefit from formal verification techniques and tools.
arXiv Detail & Related papers (2023-01-05T18:18:46Z)
Empowered and Embedded: Ethics and Agile Processes [60.63670249088117]
We argue that ethical considerations need to be embedded into the (agile) software development process. We put emphasis on the possibility to implement ethical deliberations in already existing and well established agile software development processes.
arXiv Detail & Related papers (2021-07-15T11:14:03Z)
Machine Learning for Software Engineering: A Systematic Mapping [73.30245214374027]
The software development industry is rapidly adopting machine learning for transitioning modern day software systems towards highly intelligent and self-learning systems. No comprehensive study exists that explores the current state-of-the-art on the adoption of machine learning across software engineering life cycle stages. This study introduces a machine learning for software engineering (MLSE) taxonomy classifying the state-of-the-art machine learning techniques according to their applicability to various software engineering life cycle stages.
arXiv Detail & Related papers (2020-05-27T11:56:56Z)

This list is automatically generated from the titles and abstracts of the papers in this site.