Write a Blog >>
ESEC/FSE 2021
Thu 19 - Sat 28 August 2021 Clowdr Platform
Fri 27 Aug 2021 16:00 - 16:10 - Dependability—Software Security 1 Chair(s): Yi Li
Sat 28 Aug 2021 04:00 - 04:10 - Dependability—Software Security 1 Chair(s): Mehrdad Sabetzadeh, David Lo

Open source packages have source code available on repositories for inspection (e.g. on GitHub) but developers use pre-built packages directly from the package repositories (such as npm for JavaScript, PyPI for Python, or RubyGems for Ruby).
Such convenient practice assumes that there are no discrepancies between source code and packages. These differences pose both operational risks (e.g. making dependent projects unable to compile) and security risks (e.g. deploying malicious code during package installation) in the software supply chain.
Our empirical assessment of 2438 popular packages in PyPI with an analysis of around 10M lines of code shows several differences in the wild: modifications cannot be just attributed to malicious injections. Yet, scanning again all and whole ‘most likely good but modified’ packages is hard to manage for FOSS downstream users.
We propose a methodology, LastPyMile, for identifying the differences between build artifacts of software packages and the respective source code repository. We show how it can be used to extend current package scanning practices for malware injection (which only covers less than 1% of the code of deployed packages).

Fri 27 Aug

Displayed time zone: Athens change

16:00 - 17:00
Dependability—Software Security 1Research Papers / Industry Papers +12h
Chair(s): Yi Li Nanyang Technological University
16:00
10m
Paper
LastPyMile: Identifying the Discrepancy between Sources and PackagesArtifacts Available
Research Papers
Duc Ly Vu University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam, Ivan Pashchenko University of Trento, Henrik Plate SAP Security Research, Antonino Sabetta SAP Security Research
DOI
16:10
10m
Paper
A Grounded Theory of the Role of Coordination in Software Security Patch Management
Research Papers
Nesara Dissanayake University of Adelaide, Mansooreh Zahedi University of Adelaide, Asangi Jayatilaka University of Adelaide, Muhammad Ali Babar University of Adelaide
DOI
16:20
10m
Paper
Infiltrating Security into Development: Exploring the World’s Largest Software Security Study
Industry Papers
Charles Weir Lancaster University, Sammy Migues Synopsys, Mike Ware Synopsys, Laurie Williams North Carolina State University
DOI
16:30
30m
Live Q&A
Q&A (Dependability—Software Security 1)
Research Papers

Sat 28 Aug

Displayed time zone: Athens change

04:00 - 05:00
Dependability—Software Security 1Research Papers / Industry Papers
Chair(s): Mehrdad Sabetzadeh University of Ottawa, David Lo Singapore Management University
04:00
10m
Paper
LastPyMile: Identifying the Discrepancy between Sources and PackagesArtifacts Available
Research Papers
Duc Ly Vu University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam, Ivan Pashchenko University of Trento, Henrik Plate SAP Security Research, Antonino Sabetta SAP Security Research
DOI
04:10
10m
Paper
A Grounded Theory of the Role of Coordination in Software Security Patch Management
Research Papers
Nesara Dissanayake University of Adelaide, Mansooreh Zahedi University of Adelaide, Asangi Jayatilaka University of Adelaide, Muhammad Ali Babar University of Adelaide
DOI
04:20
10m
Paper
Infiltrating Security into Development: Exploring the World’s Largest Software Security Study
Industry Papers
Charles Weir Lancaster University, Sammy Migues Synopsys, Mike Ware Synopsys, Laurie Williams North Carolina State University
DOI
04:30
30m
Live Q&A
Q&A (Dependability—Software Security 1)
Research Papers