research
∙
08/13/2023
S3C2 Summit 2023-06: Government Secure Supply Chain Summit
Recent years have shown increased cyber attacks targeting less secure el...
share
research
∙
07/31/2023
S3C2 Summit 2023-02: Industry Secure Supply Chain Summit
Recent years have shown increased cyber attacks targeting less secure el...
research
∙
07/28/2023
S3C2 Summit 2202-09: Industry Secure Suppy Chain Summit
Recent years have shown increased cyber attacks targeting less secure el...
research
∙
07/03/2023
A Comparative Study of Software Secrets Reporting by Secret Detection Tools
Background: According to GitGuardian's monitoring of public GitHub repos...
research
∙
05/31/2023
Trusting code in the wild: A social network-based centrality rating for developers in the Rust ecosystem
As modern software extensively uses open source packages, developers reg...
research
∙
03/12/2023
SecretBench: A Dataset of Software Secrets
According to GitGuardian's monitoring of public GitHub repositories, the...
research
∙
01/29/2023
What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts?
Throughout 2021, GitGuardian's monitoring of public GitHub repositories ...
research
∙
12/01/2022
An Extended Model of Software Configuration
Feature toggles and configuration options are modern programmatic techni...
research
∙
11/11/2022
An investigation of security controls and MITRE ATT&CK techniques
Attackers utilize a plethora of adversarial techniques in cyberattacks t...
research
∙
11/11/2022
Investigating co-occurrences of MITRE ATT&CK Techniques
Cyberattacks use adversarial techniques to bypass system defenses, persi...
research
∙
10/20/2022
PREPRINT: Do OpenSSF Scorecard Practices Contribute to Fewer Vulnerabilities?
Due to the ever-increasing security breaches, practitioners are motivate...
research
∙
10/05/2022
From Threat Reports to Continuous Threat Intelligence: A Comparison of Attack Technique Extraction Methods from Textual Artifacts
The cyberthreat landscape is continuously evolving. Hence, continuous mo...
research
∙
08/24/2022
What are the Practices for Secret Management in Software Artifacts?
Throughout 2021, GitGuardian's monitoring of public GitHub repositories ...
research
∙
08/06/2022
PREPRINT: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?
The OpenSSF Scorecard project is an automated tool to monitor the securi...
research
∙
08/02/2022
Do I really need all this work to find vulnerabilities? An empirical case study comparing vulnerability detection techniques on a Java application
CONTEXT: Applying vulnerability detection techniques is one of many task...
research
∙
06/19/2022
Phantom Artifacts Code Review Coverage in Dependency Updates
The goal of this study is to aid developers in securely accepting depend...
research
∙
05/02/2022
Reducing the Cost of Training Security Classifier (via Optimized Semi-Supervised Learning)
Background: Most of the existing machine learning models for security ta...
research
∙
03/22/2022
Dazzle: Using Optimized Generative Adversarial Networks to Address Security Data Class Imbalance Issue
Background: Machine learning techniques have been widely used and demons...
research
∙
12/19/2021
What are Weak Links in the npm Supply Chain?
Modern software development frequently uses third-party packages, raisin...
research
∙
12/13/2021
Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages
Vulnerabilities in open source packages can be a security risk for the c...
research
∙
09/14/2021
What are the attackers doing now? Automating cyber threat intelligence extraction from text on pace with the changing threat landscape: A survey
Cybersecurity researchers have contributed to the automated extraction o...
research
∙
08/27/2021
A Comparative Study of Vulnerability Reporting by Software Composition Analysis Tools
Background: Modern software uses many third-party libraries and framewor...
research
∙
04/09/2021
Memory Error Detection in Security Testing
We study 10 C/C++ projects that have been using a static analysis securi...
research
∙
03/08/2021
Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard
Lack of security expertise among software practitioners is a problem wit...
research
∙
11/23/2020
Omni: Automated Ensemble with Unexpected Models against Adversarial Evasion Attack
BACKGROUND: Machine learning-based security detection models have become...
research
∙
05/30/2020
The 'as Code' Activities: Development Anti-patterns for Infrastructure as Code
Context: The 'as code' suffix in infrastructure as code (IaC) refers to ...
research
∙
11/04/2019
Improved Recognition of Security Bugs via Dual Hyperparameter Optimization
Background: Security bugs need to be handled by small groups of engineer...
research
∙
07/16/2019
Security Smells in Infrastructure as Code Scripts
Context: Security smells are coding patterns in source code that are ind...
research
∙
07/14/2019
Feature Toggle Driven Development: Practices usedby Practitioners
Using feature toggles is a technique that allows developers to either tu...
research
∙
05/16/2019
Better Security Bug Report Classification via Hyperparameter Optimization
When security bugs are detected, they should be (a) discussed privately ...
research
∙
10/21/2018
Source Code Properties of Defective Infrastructure as Code Scripts
Context: In continuous deployment, software and services are rapidly dep...
research
∙
09/21/2018
Categorizing Defects in Infrastructure as Code
Infrastructure as code (IaC) scripts are used to automate the maintenanc...
research
∙
07/13/2018
Where Are The Gaps? A Systematic Mapping Study of Infrastructure as Code Research
Context:Infrastructure as code (IaC) is the practice to automatically co...
research
∙
03/17/2018