2025

  • Giacomo Benedetti, Oreofe Solarin, Courtney Miller, Greg Tystahl, William Enck, Christian Kästner, Alexandros Kapravelos, Alessio Merlo, and Luca Verderame, An Empirical Study on Reproducible Packaging in Open-Source Ecosystems, in Proceedings of the IEEE/ACM International Conference on Software Engineering (ICSE), Apr. 2025.
    [PDF]
  • Jan-Ulrich Holtgrave, Kay Friedrich, Fabian Fischer, Nicolas Huaman, Niklas Busch, Jan H. Klemmer, Marcel Fourné, Oliver Wiese, Dominik Wermke, and Sascha Fahl, Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security, in Network and Distributed System Security (NDSS) Symposium 2025, February 24-28, 2025, Feb. 2025.
    [PDF]
  • Laurie Williams, Giacomo Benedetti, Sivana Hamer, Ranindya Paramitha, Imranur Rahman, Mahzabin Tamanna, Greg Tystahl, Nusrat Zahan, Patrick Morrison, Yasemin Acar, Michel Cukier, Christian Kästner, Alexandros Kapravelos, Dominik Wermke, and William Enck, Research Directions in Software Supply Chain Security, ACM Trans. Softw. Eng. Methodol., Jan. 2025. Just Accepted.
    [PDF]

2024

  • Harshini Sri Ramulu, Helen Schmitt, Dominik Wermke, and Yasemin Acar, Security and Privacy Software Creators’ Perspectives on Unintended Consequences, in Proceedings of the USENIX Security Symposium, Aug. 2024.
  • Madison Thomas, Erynn Elmore, Brenda Chavez, Ronaisha Ruth, Charlotte Avery, Michel Cukier, and and Veronica Cateté, Equitable Access to Cyber-security Education: A Case Study of Underserved Middle School Students, in Proceedings of the ACM conference on Innovation and Technology in Computer Science Education (ITiCSE), Jul. 2024.
  • Trevor Dunlap, John Speed Meyers, Brad Reaves, and William Enck, Pairing Security Advisories with Vulnerable Functions Using Open-Source LLMs, in Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Jul. 2024.
    [PDF]
  • Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves, VFCFinder: Pairing Security Advisories and Patches, in Proceedings of the ACM ASIA Conference on Computer and Communications Security (AsiaCCS), Jul. 2024.
    [PDF]
  • Lina Boughton, Courtney Miller, Yasemin Acar, Dominik Wermke, and Christian Kästner, Decomposing and Measuring Trust in Open-Source Software Supply Chains, in Proceedings of the Proc. International Conference on Software Engineering – New Ideas Track (ICSE-NIER), Apr. 2024.
    [PDF]
  • Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, and Laurie Williams, MalwareBench: Malware Samples are Not Enough, in Proceedings of the IEEE/ACM International Conference on Mining Software Repositories (MSR), Apr. 2024.
  • Laurie Williams, Narrowing the Software Supply Chain Attack Vectors: The SSDF Is Wonderful but not Enough, IEEE Security & Privacy Magazine, vol. 22, no. 2, pp. 4–7, Mar. 2024. (From the Editors).
  • Elizabeth Lin, Igibek Koishybayev, Trevor Dunlap, William Enck, and Alexandros Kapravelos, UntrustIDE: Exploiting Weaknesses in VS Code Extensions, in Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS), Feb. 2024. (distinguished paper).
    [PDF]

2023

  • Courtney Miller, Christian Kästner, and Bogdan Vasilescu, "We Feel Like We’re Winging It:" A Study on Navigating Open-Source Dependency Abandonment, in Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), Dec. 2023.
    [PDF]
  • Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, and Laurie Williams, OpenSSF Scorecard: On the Path Toward Ecosystem-wide Automated Security Metrics, IEEE Security & Privacy Magazine, vol. 21, no. 6, pp. 76–88, Nov. 2023.
  • Marcel Fourné, Dominik Wermke, Sascha Fahl, and Yasemin Acar, A Viewpoint on Human Factors in Software Supply Chain Security: A Research Agenda, IEEE Security & Privacy, vol. 21, no. 6, pp. 59–63, Nov. 2023.
    [PDF]
  • William Enck, Yasemin Acar, Michel Cukier, Alexandros Kapravelos, Christian Kästner, and Laurie Williams, S3C2 Summit 2023-06: Government Secure Supply Chain Summit. Aug-2023. arXiv:2308.06850.
    [PDF]
  • Tadayoshi Kohno, Yasemin Acar, and Wulf Loh, Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations, in Proceedings of the USENIX Security Symposium, Aug. 2023. (distinguished paper).
    [PDF]
  • Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry, ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions, in Proceedings of the USENIX Security Symposium, Aug. 2023.
    [PDF]
  • Alexander Krause, Jan H. Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, and Sascha Fahl, Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories, in Proceedings of the USENIX Security Symposium, Aug. 2023.
    [PDF]
  • Trevor Dunlap, Yasemin Acar, Michel Cucker, William Enck, Alexandros Kapravelos, Christian Kästner, and Laurie Williams, S3C2 Summit 2023-02: Industry Secure Supply Chain Summit. Jul-2023. arXiv:2307.16557.
    [PDF]
  • Mindy Tran, Yasemin Acar, Michel Cucker, William Enck, Alexandros Kapravelos, Christian Kästner, and Laurie Williams, S3C2 Summit 2022-09: Industry Secure Supply Chain Summit. Jul-2023. arXiv:2307.15642.
    [PDF]
  • Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves, Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis, in Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), Jul. 2023.
    [PDF]
  • Nusrat Zahan, Shohanuzzaman Shohan, Dan Harris, and Laurie Williams, Do Software Security Practices Yield Fewer Vulnerabilities?, in Proceedings of the IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), May 2023, pp. 292–303.
  • Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar, It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2023.
    [PDF]
  • Dominik Wermke, Jan H. Klemmer, Noah Wöhler, Juliane Schmüser, Harshini Sri Ramulu, Yasemin Acar, and Sascha Fahl, “Always Contribute Back”: A Qualitative Study on Security Challenges of the Open Source Supply Chain, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2023.
    [PDF]
  • Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, and Laurie Williams, Software Bills of Materials Are Required. Are We There Yet?, IEEE Security & Privacy, vol. 21, no. 2, pp. 82–88, Apr. 2023.