Interview Study on the use of SCA tools

About this study

In this study, we are looking for participants in an interview-based approach to investigate the use of SCA (software composition analysis) tools. The study aims to uncover how the tools play a part in security workflows and how users make decisions based on tool output. From the interviews, we hope to gather insights into SCA tools and software supply chain security.

Motivation

SCA tools determine the software components included in your application and if vulnerabilities exist in the components. A common challenge with SCA tool users are the large amount of alerts returned by the tool, overwhelming users. Previous research has also shown differences in SCA tool output. However, there lacks a study of understanding SCA tools from the user perspective.

Research Questions

We aim to answer the following research questions:

  1. How do users interact with SCA tools?
  2. How are SCA alerts prioritized?
  3. How can SCA tools be improved?

Participation

We are looking for people who have experience with SCA tools or are part of an organization that uses SCA tools.

We value and appreciate your contribution in our study and are committed to maintaining your privacy and confidentiality of all data you provide. We will only use short quotes from the interviews in our publication with your approval, and will make sure that you cannot be identified from our reporting.

Currently, we are still in the process of getting the study approved, but if you are interested please shoot me an email at etlin@ncsu.edu and I will reach out when we plan to conduct interviews.