@article{zahan_burckhardt_lysenko_aboukhadijeh_williams_2024, title={MalwareBench: Malware samples are not enough}, ISBN={["979-8-3503-6398-2"]}, ISSN={["2160-1852"]}, url={https://doi.org/10.1145/3643991.3644883}, DOI={10.1145/3643991.3644883}, journal={2024 IEEE/ACM 21ST INTERNATIONAL CONFERENCE ON MINING SOFTWARE REPOSITORIES, MSR}, author={Zahan, Nusrat and Burckhardt, Philipp and Lysenko, Mikola and Aboukhadijeh, Feross and Williams, Laurie}, year={2024}, pages={728–732} } @article{zahan_shohan_harris_williams_2023, title={Do Software Security Practices Yield Fewer Vulnerabilities?}, ISSN={["2832-7640"]}, DOI={10.1109/ICSE-SEIP58684.2023.00032}, abstractNote={Due to the ever-increasing number of security breaches, practitioners are motivated to produce more secure software. In the United States, the White House Office released a memorandum on Executive Order (EO) 14028 that mandates organizations provide self-attestation of the use of secure software development practices. The OpenSSF Scorecard project allows practitioners to measure the use of software security practices automatically. However, little research has been done to determine whether the use of security practices improves package security, particularly which security practices have the biggest impact on security outcomes. The goal of this study is to assist practitioners and researchers in making informed decisions on which security practices to adopt through the development of models between software security practice scores and security vulnerability counts.To that end, we developed five supervised machine learning models for npm and PyPI packages using the OpenSSF Scorecard security practices scores and aggregate security scores as predictors and the number of externally-reported vulnerabilities as a target variable. Our models found that four security practices (Maintained, Code Review, Branch Protection, and Security Policy) were the most important practices influencing vulnerability count. However, we had low R2 (ranging from 9% to 12%) when we tested the models to predict vulnerability counts. Additionally, we observed that the number of reported vulnerabilities increased rather than reduced as the aggregate security score of the packages increased. Both findings indicate that additional factors may influence the package vulnerability count. Other factors, such as the scarcity of vulnerability data, time to implicate security practices vs. time to detect vulnerabilities, and the need for more adequate scripts to detect security practices, may impede the data-driven studies to indicate that a practice can aid in the reduction of externally-reported vulnerabilities. We suggest that vulnerability count and security score data be refined such that these measures may be used to provide actionable guidance on security practices.}, journal={2023 IEEE/ACM 45TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: SOFTWARE ENGINEERING IN PRACTICE, ICSE-SEIP}, author={Zahan, Nusrat and Shohan, Shohanuzzaman and Harris, Dan and Williams, Laurie}, year={2023}, pages={292–303} } @article{zahan_kanakiya_hambleton_shohan_williams_2023, title={OpenSSF Scorecard: On the Path Toward Ecosystem-Wide Automated Security Metrics}, volume={21}, ISSN={["1558-4046"]}, url={https://doi.org/10.1109/MSEC.2023.3279773}, DOI={10.1109/MSEC.2023.3279773}, abstractNote={The OpenSSF Scorecard project is an automated tool to monitor the security health of open source software. This study evaluates the applicability of the Scorecard tool and compares the security practices and gaps in the npm and PyPI ecosystems.}, number={6}, journal={IEEE SECURITY & PRIVACY}, author={Zahan, Nusrat and Kanakiya, Parth and Hambleton, Brian and Shohan, Shohanuzzaman and Williams, Laurie}, year={2023}, month={Nov}, pages={76–88} } @article{zahan_lin_tamanna_enck_williams_2023, title={Software Bills of Materials Are Required. Are We There Yet?}, volume={21}, url={http://dx.doi.org/10.1109/msec.2023.3237100}, DOI={10.1109/msec.2023.3237100}, abstractNote={Executive order 14028 on improving the nation’s cybersecurity highlights the software bill of materials (SBOM) as an essential security practice for software security. This article outlines the top five benefits and challenges of adopting SBOMs, identified by reviewing 200 Internet articles.}, number={2}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Zahan, Nusrat and Lin, Elizabeth and Tamanna, Mahzabin and Enck, William and Williams, Laurie}, year={2023}, month={Mar}, pages={82–88} } @article{zahan_2023, title={Software Supply Chain Risk Assessment Framework}, ISSN={["2574-1926"]}, DOI={10.1109/ICSE-COMPANION58688.2023.00068}, abstractNote={Sonatype has recorded an average 700% jump in software supply chain attacks [1], measured by the number of newly-published malicious packages in open-source repositories. The 2022 Synopsys report [2] assessed the reliance of the software industry on open-source software (OSS), and estimated that 97% of applications use OSS and 78% of the code comes from OSS. Practitioners did not anticipate how the software supply chain would become a deliberate attack vector and how the risk of the software supply chain would keep growing. Practitioners are more aware of the supply chain risks and want to know how to detect the implementation of package security practices and the security risk so they can make informed decisions to select dependencies for their projects. The goal of this research is to aid practitioners in producing more secure software products that are resistant to supply chain attacks through the identification and evaluation of actionable security metrics to detect risky components in the dependency graph. To achieve this goal, the thesis presents research on software security metrics evaluation in different ecosystems by leveraging software security frameworks, malicious attack vectors, and the OpenSSF Scorecard project to detect the implementation of secure practices and their significance to security outcomes.}, journal={2023 IEEE/ACM 45TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: COMPANION PROCEEDINGS, ICSE-COMPANION}, author={Zahan, Nusrat}, year={2023}, pages={251–255} } @article{seth_bhattacharya_zahan_williams_2022, title={Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System}, url={http://dx.doi.org/10.2139/ssrn.4306114}, DOI={10.2139/ssrn.4306114}, abstractNote={Context: Security resources are scarce, and practitioners need guidance in the effective and efficient usage of techniques and tools available in the cybersecurity industry for detecting and preventing the exploitation of vulnerabilities in software, as per the practitioners' requirements. Two emerging tool types, Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP), have not been thoroughly evaluated against well-established counterparts such as Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST).Objective: The goal of this research is to aid practitioners in making informed choices about the use of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools through an analysis of their effectiveness and efficiency in comparison with different vulnerability detection and prevention techniques and tools. Methods: We apply IAST and RASP on OpenMRS, an open-source Java-based online application. We compare efficiency and effectiveness of IAST and RASP with techniques applied on OpenMRS in prior work: Systematic (SMPT) and Exploratory (EMPT) Manual Penetration Testing techniques, as well as SAST and DAST tools. We measure efficiency and effectiveness in terms of the number and type of vulnerabilities detected and prevented per hour.Results: Our study shows IAST performed relatively well compared to other techniques, performing second-best in both efficiency and effectiveness. IAST detected eight Top-10 OWASP security risks compared to nine by SMPT and seven for EMPT, DAST, and SAST. IAST found more vulnerabilities than SMPT. The efficiency of IAST (2.14 VpH) is second to only EMPT (2.22 VpH). These findings imply that our study benefited from using IAST when conducting black-box security testing. We also found RASP only prevents Injection attacks in OpenMRS. Conclusion: In the context of a large, enterprise-scale web application such as OpenMRS, RASP does not replace vulnerability detection, while IAST is a powerful tool that complements other techniques.}, journal={SSRN Electronic Journal}, publisher={Elsevier BV}, author={Seth, Aishwarya and Bhattacharya, Saikath and Zahan, Nusrat and Williams, Laurie}, year={2022} } @article{elder_zahan_shu_metro_kozarev_menzies_williams_2022, title={Do I really need all this work to find vulnerabilities? An empirical case study comparing vulnerability detection techniques on a Java application}, volume={27}, ISSN={["1573-7616"]}, url={http://dx.doi.org/10.1007/s10664-022-10179-6}, DOI={10.1007/s10664-022-10179-6}, number={6}, journal={EMPIRICAL SOFTWARE ENGINEERING}, publisher={Springer Science and Business Media LLC}, author={Elder, Sarah and Zahan, Nusrat and Shu, Rui and Metro, Monica and Kozarev, Valeri and Menzies, Tim and Williams, Laurie}, year={2022}, month={Nov} } @inproceedings{zahan_shohan_harris_williams_2023, title={Do Software Security Practices Yield Fewer Vulnerabilities?}, url={https://ieeexplore.ieee.org/abstract/document/10172593}, DOI={10.48550/ARXIV.2210.14884}, abstractNote={—Due to the ever-increasing security breaches, practitioners are motivated to produce more secure software. In the United States, the White House Office released a memorandum on Executive Order (EO) 14028 that mandates organizations provide self-attestation of the use of secure software development practices. The OpenSSF Scorecard project allows practitioners to measure the use of software security practices automatically. However, little research has been done to determine whether the use of security practices improves package security, particularly which security practices have the biggest impact on security outcomes. The goal of this study is to assist practitioners and researchers making informed decisions on which security practices to adopt through the development of models between software security practice scores and security vulnerability counts. To that end, we developed five supervised machine learning models for npm and PyPI packages using the OpenSSF Score-cared security practices scores and aggregate security scores as predictors and the number of externally-reported vulnerabilities as a target variable. Our models found four security practices ( Maintained, Code Review, Branch Protection, and Security Policy) were the most important practices influencing vulnerability count. However, we had low R 2 (ranging from 9% to 12%) when we tested the models to predict vulnerability counts. Additionally, we observed that the number of reported vulnerabilities increased rather than reduced as the aggregate security score of the packages increased. Both findings indicate that additional factors may influence the package vulnerability count. Other factors, such as the scarcity of vulnerability data, time to implicate security practices vs time to detect vulnerabilities, and the need for more adequate scripts to detect security practices, may impede the data-driven studies to indicate that a practice can aid in the reduction of externally-reported vulnerabilities. We suggest that vulnerability count and security score data be refined such that these measures may be used to provide actionable guidance on security practices.}, publisher={arXiv}, author={Zahan, Nusrat and Shohan, Shohanuzzaman and Harris, Dan and Williams, Laurie}, year={2023} } @article{zahan_kanakiya_hambleton_shohan_williams_2022, title={OpenSSF Scorecard: On the Path Toward Ecosystem-wide Automated Security Metrics}, url={https://arxiv.org/abs/2208.03412}, DOI={10.48550/ARXIV.2208.03412}, abstractNote={The OpenSSF Scorecard project is an automated tool to monitor the security health of open-source software. We used the tool to understand the security practices and gaps in npm and PyPI ecosystems and to confirm the applicability of the Scorecard tool.}, publisher={arXiv}, author={Zahan, Nusrat and Kanakiya, Parth and Hambleton, Brian and Shohan, Shohanuzzaman and Williams, Laurie}, year={2022} } @article{zahan_zimmermann_godefroid_murphy_maddila_williams_2022, title={What are Weak Links in the npm Supply Chain?}, url={http://dx.doi.org/10.1145/3510457.3513044}, DOI={10.1145/3510457.3513044}, abstractNote={Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists in measuring npm supply chain weak link signals to prevent future supply chain attacks by empirically studying npm package metadata. In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. One of our case studies identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.}, journal={2022 ACM/IEEE 44TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: SOFTWARE ENGINEERING IN PRACTICE (ICSE-SEIP 2022)}, publisher={ACM}, author={Zahan, Nusrat and Zimmermann, Thomas and Godefroid, Patrice and Murphy, Brendan and Maddila, Chandra and Williams, Laurie}, year={2022}, pages={331–340} } @article{elder_zahan_kozarev_shu_menzies_williams_2021, title={Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard}, url={http://dx.doi.org/10.1109/icse-seet52601.2021.00019}, DOI={10.1109/ICSE-SEET52601.2021.00019}, abstractNote={Lack of security expertise among software practitioners is a problem with many implications. First, there is a deficit of security professionals to meet current needs. Additionally, even practitioners who do not plan to work in security may benefit from increased understanding of security. The goal of this paper is to aid software engineering educators in designing a comprehensive software security course by sharing an experience running a software security course for the eleventh time. Through all the eleven years of running the software security course, the course objectives have been comprehensive - ranging from security testing, to secure design and coding, to security requirements to security risk management. For the first time in this eleventh year, a theme of the course assignments was to map vulnerability discovery to the security controls of the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS). Based upon student performance on a final exploratory penetration testing project, this mapping may have increased students' depth of understanding of a wider range of security topics. The students efficiently detected 191 unique and verified vulnerabilities of 28 different Common Weakness Enumeration (CWE) types during a three-hour period in the OpenMRS project, an electronic health record application in active use.}, journal={2021 IEEE/ACM 43RD INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: JOINT TRACK ON SOFTWARE ENGINEERING EDUCATION AND TRAINING (ICSE-JSEET 2021)}, publisher={IEEE}, author={Elder, Sarah E. and Zahan, Nusrat and Kozarev, Val and Shu, Rui and Menzies, Tim and Williams, Laurie}, year={2021}, pages={95–104} }