Hi, I am Nusrat Zahan, a PhD candidate in Computer Science at North Carolina State University. I work on software supply chain security space under the guidance of Prof. Laurie Williams, at the RealSearch Group.
Selected Work
With our increasing reliance on third-party software, our supply chain has become very complex and comes with a large number of risks that have led to many high-profile supply chain attacks. Different breaches have different causes and involve multiple steps to execute a supply chain attack. To secure our supply chain and ecosystem, we should adopt an adversarial mindset. In this research, we studied the npm ecosystem from the views of a data-driven attacker, focusing on how an attacker would use and assess the publicly available information to identify the weakest link in a software supply chain and then execute a large supply chain attack.
Assessing the Use of OpenSSF Scorecard to Measure the Security Posture of npm and PyPI
The Scorecard project auto-generates a “security score” for OSS projects with a list of security check metrics to verify baseline security standards and generate valuable information about OSS threats and risks. We evaluated the OpenSSF Scorecard security metrics for the npm and PyPI ecosystems to assess the tool’s applicability, identify security gaps, and recommend practical, automated security adoption metrics for practitioners. Additionally, we extended our research to explore the impact of these security practices on overall product security outcomes.
Leveraging Large Language Models to Detect npm Malicious Packages
Existing malicious code detection techniques often suffer from high misclassification rates. Therefore, malicious code detection techniques could be enhanced by adopting advanced, more automated approaches to achieve high accuracy and a low misclassification rate. We present SecurityAI, a malicious code review workflow to detect malicious code using ChatGPT models (GPT-3 and GPT-4). We constructed a benchmark dataset to validate our workflow and compare it with the state-of-the-art CodeQL static analysis tool.
CONTACT ME
nzahan [at] ncsu [dot] edu