Research Publications

2025

Leveraging Large Language Models to Detect npm Malicious Packages.
 Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, Laurie Williams.
2025 IEEE/ACM 47th International Conference on Software Engineering 

Research Directions in Software Supply Chain Security.
Laurie Williams, et al.
ACM Transactions on Software Engineering and Methodology (TOSEM)

2024

Malwarebench: Malware samples are not enough.
Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, Laurie Williams.
In 2024 IEEE/ACM 21st International Conference on Mining Software Repositories (MSR)

2023

Do Software Security Practices Yield Fewer Vulnerabilities?
Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, Laurie Williams
In 2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

OpenSSF Scorecard: On the Path Toward Ecosystem-Wide Automated Security Metrics
Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, Laurie Williams
IEEE Security & Privacy Magazine (2023)

Software Supply Chain Risk Assessment Framework
Nusrat Zahan
In 2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)

Software Bills of Materials Are Required. Are We There Yet?
Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, Laurie Williams
IEEE Security & Privacy Magazine (2023)

2022

What are Weak Links in the npm Supply Chain?
Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila, and Laurie Williams,  
In 2022, IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

Do I Really Need All This Work to Find Vulnerabilities? An Empirical Case Study Comparing Vulnerability Detection Techniques on a Java Application
Sarah Elder, Nusrat Zahan, Rui Shu, Monica Metro, Valeri Kozarev, Tim Menzies, Laurie Williams
Empirical Software Engineering 

2021

Structuring a comprehensive software security course around the OWASP application security verification standard
Sarah Elder, Nusrat Zahan, Valeri Kozarev, Rui Shu, Tim Menzies, Laurie Williams
2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET)

In-Submission

In-Submission

Characterizing Dependency Update Practice of NPM, PyPI and Cargo Packages
Imranur Rahman, Nusrat Zahan, Stephen Magill, William Enck, Laurie Williams

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) Tools
Aishwarya Seth, Saikath Bhattacharya , Sarah Elder, Nusrat Zahan, Laurie Williams