ARMS: A Vision for Actor Reputation Metric Systems in the Open-Source Software Supply Chain

TL;DR

This paper proposes Actor Reputation Metrics (ARMS) to help open-source software maintainers evaluate the cybersecurity reputation of external contributors, enhancing security decision-making in OSS supply chains.

Contribution

It introduces a framework for incorporating cybersecurity reputation metrics into OSS ecosystems, including security signals, metric mapping, and evaluation strategies.

Findings

Identifies seven security signals relevant to OSS contributions.

Maps existing metrics and tools to these signals.

Discusses potential benefits and challenges of ARMS implementation.

Abstract

Many critical information technology and cyber-physical systems rely on a supply chain of open-source software projects. OSS project maintainers often integrate contributions from external actors. While maintainers can assess the correctness of a pull request, assessing a pull request's cybersecurity implications is challenging. To help maintainers make this decision, we propose that the open-source ecosystem should incorporate Actor Reputation Metrics (ARMS). This capability would enable OSS maintainers to assess a prospective contributor's cybersecurity reputation. To support the future instantiation of ARMS, we identify seven generic security signals from industry standards; map concrete metrics from prior work and available security tools, describe study designs to refine and assess the utility of ARMS, and finally weigh its pros and cons.