2025

Leveraging Large Language Models to Detect npm Malicious Packages.
Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, Laurie Williams.
2025 IEEE/ACM 47th International Conference on Software Engineering 

Research Directions in Software Supply Chain Security.
Laurie Williams, et al.
ACM Transactions on Software Engineering and Methodology (TOSEM)

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) Tools
Aishwarya Seth, Saikath Bhattacharya , Sarah Elder, Nusrat Zahan, Laurie Williams
Empirical Software Engineering

Can the Rising Tide of Software Supply Chain Attacks Raise All Software Engineering Boats?
Laurie Williams, Sivana Hamer, Nusrat Zahan, Laurie Williams
(Keynote) Companion Proceedings of International Conference on the Foundations of Software Engineering (FSE)

2024

Malwarebench: Malware samples are not enough.
Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, Laurie Williams.
In 2024 IEEE/ACM 21st International Conference on Mining Software Repositories (MSR)

Industry Secure Supply Chain Summit.
Nusrat Zahan, Yasemin Acar, Michel Cukier, William Enck, Christian Kästner, Alexandros Kapravelos, Dominik Wermke, Laurie Williams

2023

Do Software Security Practices Yield Fewer Vulnerabilities?
Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, Laurie Williams
In 2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

OpenSSF Scorecard: On the Path Toward Ecosystem-Wide Automated Security Metrics
Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, Laurie Williams
IEEE Security & Privacy Magazine (2023)

Software Supply Chain Risk Assessment Framework
Nusrat Zahan
In 2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)

Software Bills of Materials Are Required. Are We There Yet?
Nusrat Zahan, Elizabeth Lin, Mahzabin Tamanna, William Enck, Laurie Williams
IEEE Security & Privacy Magazine (2023)

2022

What are Weak Links in the npm Supply Chain?
Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila, and Laurie Williams,  
In 2022, IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

Do I Really Need All This Work to Find Vulnerabilities? An Empirical Case Study Comparing Vulnerability Detection Techniques on a Java Application
Sarah Elder, Nusrat Zahan, Rui Shu, Monica Metro, Valeri Kozarev, Tim Menzies, Laurie Williams
Empirical Software Engineering 

2021

Structuring a comprehensive software security course around the OWASP application security verification standard
Sarah Elder, Nusrat Zahan, Valeri Kozarev, Rui Shu, Tim Menzies, Laurie Williams
2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET)

In-Submission

Assumptions to Evidence: Evaluating Security Practices Adoption and Their Impact on Outcomes in the npm Ecosystem
Nusrat Zahan, Imranur Rahman, Laurie Williams

How Quickly Do Development Teams Update Their Vulnerable Dependencies?
Imranur Rahman, Nusrat Zahan, Stephen Magill, William Enck, Laurie Williams