RHUL Cyber CDT Blog

The 3 rd International workshop on Mining Software Repositories for Privacy and Security (MSR4P&S) this year, was co-located with SANER25 in Montreal, Canada. I was fortunate to be able to attend and present my recent work, Links Between Package Popularity, Criticality, and Security in Software Ecosystems. MSR4P&S focusses on the application of software mining techniques to the security domain, an intersection particularly relevant to my interests in software supply chain risks. This year, the work presented, ranged from the study of LLM PII disclosure risks, to Software Bill of Materials (SBOM) standards conformity. The other published works can be found on the workshop’s webpage . In the work I presented, we investigated the relationships between package popularity, criticality, and security within software ecosystems, specifically Python and JavaScript/TypeScript. Given the increasing maintenance workloads and stressors faced by open-source software (OSS) maintainers, our...

It is hard to imagine two more different conferences. On the one hand, there was the second iteration of the Global Conference on Cyber Capacity Building, full of international organisations, cyber not-for-profits, with its global representation of government cybersecurity officials and implementors. The setting, Geneva, with its international bodies from WTO to UEFA and mountainous scenic backdrop, was spectacular, the conference crowd well attired and familiar, the content reassuringly predictable, and the catering abundant. On the other hand there was the UK Evaluation Society conference in Glasgow. No less spectacular in its own way, but with a crowd of evaluation experts and academics who were much less familiar, the content expansive and original, not a suit in sight, and no free drinks. And whilst both areas, cybersecurity capacity building and evaluation, are well known and well understood in their own right by experienced practitioners and seasoned professionals, if you ...