2024

  • Harshini Sri Ramulu, Helen Schmitt, Dominik Wermke, and Yasemin Acar, Security and Privacy Software Creators’ Perspectives on Unintended Consequences, in Proceedings of the USENIX Security Symposium, Aug. 2024.
  • Madison Thomas, Erynn Elmore, Brenda Chavez, Ronaisha Ruth, Charlotte Avery, Michel Cukier, and and Veronica Cateté, Equitable Access to Cyber-security Education: A Case Study of Underserved Middle School Students, in Proceedings of the ACM conference on Innovation and Technology in Computer Science Education (ITiCSE), Jul. 2024.
  • Trevor Dunlap, John Speed Meyers, Brad Reaves, and William Enck, Pairing Security Advisories with Vulnerable Functions Using Open-Source LLMs, in Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Jul. 2024.
    [PDF]
  • Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves, VFCFinder: Pairing Security Advisories and Patches, in Proceedings of the ACM ASIA Conference on Computer and Communications Security (AsiaCCS), Jul. 2024.
    [PDF]
  • Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, and Laurie Williams, MalwareBench: Malware Samples are Not Enough, in Proceedings of the IEEE/ACM International Conference on Mining Software Repositories (MSR), Apr. 2024.
  • Lina Boughton, Courtney Miller, Yasemin Acar, Dominik Wermke, and Christian Kästner, Decomposing and Measuring Trust in Open-Source Software Supply Chains, in Proceedings of the Proc. International Conference on Software Engineering – New Ideas Track (ICSE-NIER), Apr. 2024.
    [PDF]
  • Laurie Williams, Narrowing the Software Supply Chain Attack Vectors: The SSDF Is Wonderful but not Enough, IEEE Security & Privacy Magazine, vol. 22, no. 2, pp. 4–7, Mar. 2024. (From the Editors).
  • Elizabeth Lin, Igibek Koishybayev, Trevor Dunlap, William Enck, and Alexandros Kapravelos, UntrustIDE: Exploiting Weaknesses in VS Code Extensions, in Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS), Feb. 2024. (distinguished paper).
    [PDF]

2023

  • Courtney Miller, Christian Kästner, and Bogdan Vasilescu, "We Feel Like We’re Winging It:" A Study on Navigating Open-Source Dependency Abandonment, in Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), Dec. 2023.
    [PDF]
  • Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, and Laurie Williams, OpenSSF Scorecard: On the Path Toward Ecosystem-wide Automated Security Metrics, IEEE Security & Privacy Magazine, vol. 21, no. 6, pp. 76–88, Nov. 2023.
  • Marcel Fourné, Dominik Wermke, Sascha Fahl, and Yasemin Acar, A Viewpoint on Human Factors in Software Supply Chain Security: A Research Agenda, IEEE Security & Privacy, vol. 21, no. 6, pp. 59–63, Nov. 2023.
    [PDF]
  • William Enck, Yasemin Acar, Michel Cukier, Alexandros Kapravelos, Christian Kästner, and Laurie Williams, S3C2 Summit 2023-06: Government Secure Supply Chain Summit. Aug-2023. arXiv:2308.06850.
    [PDF]
  • Tadayoshi Kohno, Yasemin Acar, and Wulf Loh, Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations, in Proceedings of the USENIX Security Symposium, Aug. 2023. (distinguished paper).
    [PDF]
  • Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry, ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions, in Proceedings of the USENIX Security Symposium, Aug. 2023.
    [PDF]
  • Alexander Krause, Jan H. Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, and Sascha Fahl, Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories, in Proceedings of the USENIX Security Symposium, Aug. 2023.
    [PDF]
  • Trevor Dunlap, Yasemin Acar, Michel Cucker, William Enck, Alexandros Kapravelos, Christian Kästner, and Laurie Williams, S3C2 Summit 2023-02: Industry Secure Supply Chain Summit. Jul-2023. arXiv:2307.16557.
    [PDF]
  • Mindy Tran, Yasemin Acar, Michel Cucker, William Enck, Alexandros Kapravelos, Christian Kästner, and Laurie Williams, S3C2 Summit 2022-09: Industry Secure Supply Chain Summit. Jul-2023. arXiv:2307.15642.
    [PDF]
  • Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves, Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis, in Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), Jul. 2023.
    [PDF]
  • Nusrat Zahan, Shohanuzzaman Shohan, Dan Harris, and Laurie Williams, Do Software Security Practices Yield Fewer Vulnerabilities?, in Proceedings of the IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), May 2023, pp. 292–303.
  • Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar, It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2023.
    [PDF]
  • Dominik Wermke, Jan H. Klemmer, Noah Wöhler, Juliane Schmüser, Harshini Sri Ramulu, Yasemin Acar, and Sascha Fahl, “Always Contribute Back”: A Qualitative Study on Security Challenges of the Open Source Supply Chain, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2023.
    [PDF]
  • Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, and Laurie Williams, Software Bills of Materials Are Required. Are We There Yet?, IEEE Security & Privacy, vol. 21, no. 2, pp. 82–88, Apr. 2023.