MSR4P&S Workshop Presentation – Alexis Butler

The 3rd International workshop on Mining Software Repositories for Privacy and Security (MSR4P&S) this year, was co-located with SANER25 in Montreal, Canada. I was fortunate to be able to attend and present my recent work, Links Between Package Popularity, Criticality, and Security in Software Ecosystems. MSR4P&S focusses on the application of software mining techniques to the security domain, an intersection particularly relevant to my interests in software supply chain risks. This year, the work presented, ranged from the study of LLM PII disclosure risks, to Software Bill of Materials (SBOM) standards conformity. The other published works can be found on the workshop’s webpage.

In the work I presented, we investigated the relationships between package popularity, criticality, and security within software ecosystems, specifically Python and JavaScript/TypeScript. Given the increasing maintenance workloads and stressors faced by open-source software (OSS) maintainers, our research aimed to determine if the security of packages at the core of these ecosystems was being prioritized over those on the periphery. While there are many ways to determine core packages, we made use of two – popularity and criticality, as measured by GitHub Forks and a novel Directed graph centrality measure. Our findings revealed a statistically significant moderate positive correlation between security and popularity in both ecosystems, suggesting that more popular packages tend to have stronger security postures. However, the correlation between security and criticality yielded mixed results, indicating that further investigation is needed to understand the nuances of criticality in different ecosystems.

While I refer to measuring relationships to security, it is more accurate to say the relationship to security posture was measured. This is due to my choice of OSSF Scorecard as the metric for security, a framework that takes a broad definition of security in terms of adherence to Open-Source best practices for secure development. Interestingly, my use of OSSF Scorecard aligned with discussions around another one of the accepted works at MSR4P&S.

Following the presentation, there was an opportunity for questions and discussion, this proved valuable, as multiple other attendees had experience working both with graph centrality measures and dependency graphs. Discussion focused on how the observed structural properties of the dependency graphs could be leveraged to extend this work to enable the prediction of security scores given partial information regarding a package. I feel that both my presentation and the subsequent discussion went well, however, as always, I came away with several ways to improve my approach to presentations.

On completion of the workshop, I attended the Software Quality Assurance for Artificial Intelligence workshop (SQA4AI). Two papers at this workshop drew my attention, one on the effect on LLM prompt patterns on resultant code complexity, and another on Deep Learning specific technical debt. Both works combined interests from my pre-PhD work, while also being relevant to the potential future directions of my PhD.




Comments

Post a Comment

Popular posts from this blog

Remote working and Cyber Security: Georgia Crossland and Amy Ertan

Introducing the project The shift to remote working represents a huge shift for employees and organisations alike, introducing significant implications for cyber security. Amy Ertan and Georgia Crossland are currently working on a research project, in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS) and funded by the UK National Cyber Security Centre (NCSC), on the impact of remote working on cyber security and wellbeing. This blog post will give an overview of a section of this project, how remote working impacts cyber security. In response to COVID-19, in March 2020, organisations across the world made the rapid shift away from physical office working to remote working, wherever possible. This shift has had a significant impact across many aspects of organisations. This blog post will offer a high-level overview of how the cyber threat landscape was impacted for many organisations and may further change organisational cyber resilience. Remote workin...
Read more

New Publication: Remote Working and (In)Security?: Amy Ertan

Image
A recent research report by CDT researchers Amy Ertan and Georgia Crossland has been published with the Research Institute for Sociotechnical Cyber Security (RISCS). The report examines ‘The Impact of Pandemic-Driven Remote Working on Employee Wellbeing, the Psychological Contract and Cyber Security’, with research carried out through a series of interviews with senior cyber security colleagues between January and April 2021. The full report can be found on the RISCS website: New publication: Remote Working and (In)Security | RISCS. Context In the UK and around the world, the impact of COVID-19 represented a total shift away from what was considered ‘normal living’. One aspect of this change was the rapid transition to remote working as people were encouraged to work from home and limit contact with others as far as possible through repeated lockdown conditions. Fellow CDT colleague Georgia Crossland and I were curious to explore how remote working has impacted the experiences - and se...
Read more

The Artificial Intelligence Monster: Nicola Bates

Image
Christopher Booker in 2004 wrote of the seven basic plots to any story, one of these being ‘overcoming the monster’. Within Hollywood, such ‘monsters’ often reflects the zeitgeist balancing commercial requirements with the political and societal preoccupations of the age. The monster evolves over time - from Russia in the Cold War years through to lone actors and terrorists and now to seemingly shadowy figures controlling intelligence. Whilst generally lighter in tone, such monsters also exist within children’s cinema. In recent years this monster has become increasingly defined by their use of highly sophisticated technology, finally becoming the technology in ‘The Mitchells vs. the Machine’*. Lethal technology and subversive machines aren’t new concepts in children’s movies. They can, for example, be found in ‘Short Circuit’ back in 1986. This movie begins with five United States military robots in a training exercise against tanks and focusses upon one of the robots becoming ‘alive’...
Read more