Leveraging Team Dynamics to Predict Open-source Software Projects' Susceptibility to Social Engineering Attacks
This addresses a critical security issue for OSS projects and their dependent software, offering a novel, agnostic method to mitigate social engineering risks.
The paper tackles the problem of social engineering attacks on open-source software (OSS) development teams by introducing a security approach that uses team dynamics signatures and patterns to predict susceptibility, enabling proactive defense without relying on code analysis.
Open-source software (OSS) is a critical part of the software supply chain. Recent social engineering attacks against OSS development teams have enabled attackers to become code contributors and later inject malicious code or vulnerabilities into the project with the goal of compromising dependent software. The attackers have exploited interactions among development team members and the social dynamics of team behavior to enable their attacks. We introduce a security approach that leverages signatures and patterns of team dynamics to predict the susceptibility of a software development team to social engineering attacks that enable access to the OSS project code. The proposed approach is programming language-, platform-, and vulnerability-agnostic because it assesses the artifacts of OSS team interactions, rather than OSS code.