Published in 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025, 2025
An empirical comparison of pinning vs. floating dependency declarations.
Published in Context Collection Workshop 2025 (co-located with ASE 2025), 2025
A code chunking method for richer context retrieval in repository-level code completion.
Published in ACM Transactions on Software Engineering and Methodology, 2025
A roadmap of research directions for software supply chain security.
Published in Journal of Information Security and Applications, 2025
A case study on metrics that inform selection of security controls.
Published in arxiv, 2025
An industry-focused summit report on secure software supply chains.
Published in 2024 Annual Computer Security Applications Conference (ACSAC), 2024
A taxonomy of challenges encountered when implementing security controls.
Published in arxiv, 2024
We made a list of Security Sensitive APIs in Java using JDK documentation, past CVE fixes, and CWE examples. We then measured the prevalence of these Security-Sensitive API usage in our chosen 45 Java packages and in their dependencies. We finally conducted a developer survey to validate whether security-sensitive API information can be helpful in selecting dependencies.
Published in arxiv, 2024
We quantified the updatedness of dependencies and updatedness of vulnerable dependencies in the context of open source dependencies in this project. The idea is very common in Reliability domain (e.g., Mean-Time-To-Update, Mean-Time-To-Repair, Mean-Time-To-Remediate). We did a large-scale study of our proposed update metrics in NPM, PyPI, and Cargo packages.
Published in 2023 IEEE Conference on Communications and Network Security (CNS), 2023
In this study, we uncovered the inherent vulnerabilities in deep learning based steganogaphic systems, and proposed simple shuffling based solution to mitigate that.