The paper argues that current Software Bills of Materials (SBOMs) are fundamentally flawed due to a lack of shared understanding regarding what constitutes a 'component,' demonstrating that existing t…

The paper proposes a dynamic queueing framework that estimates an organization's cyber resources and attack surface dynamics by analyzing the timestamps of vulnerabilities and fixes, achieving high ac…

The paper introduces 'software supply chain smells,' structural indicators of security risks in third-party dependencies, and presents Dirty-Waters, a tool that detects these smells, finding that diff…

This report summarizes the key takeaways from the S3C2 Summit 2025-09, a gathering of industry practitioners focused on identifying best practices and challenges in securing modern software supply cha…

The paper summarizes a Secure Software Supply Chain Summit held by the S3C2 center, detailing discussions among government agencies on critical security topics to inform future research and collaborat…

The paper proposes a zero-trust supply-chain assurance rubric for O-RAN RIC applications to secure the entire lifecycle, from development to runtime.

This paper analyzes the Node Package Manager (npm) dependency network, demonstrates its vulnerability to targeted attacks, and proposes a defense strategy consisting of Centrality-Based Node-Hardening…

The paper introduces SynthChain, a comprehensive, multi-source synthetic testbed and dataset that demonstrates that detecting advanced software supply chain attacks requires fusing evidence from multi…

This study provides an ecosystem-scale measurement of commit signing on GitHub, finding that current signing adoption rates are misleading and that developers struggle to maintain consistent, long-ter…

The paper proposes a graph-learning approach to predict multi-vulnerability attack chains within software supply chains, achieving high accuracy on both component classification and cascade prediction…

The paper proposes an evidence-driven protocol combining Deterministic Build Systems and Trusted Execution Environments to provide cryptographically verifiable guarantees of software artifact integrit…

The paper analyzes a large dataset of JavaScript packages to demonstrate that a small number of vulnerable dependencies can propagate vulnerabilities across a disproportionately large number of packag…

The paper introduces a provenance-aware vulnerability analysis approach that accurately identifies cross-ecosystem vulnerabilities in Python applications by resolving vendored native libraries to spec…

This paper introduces Dependency Steering, a novel attack paradigm demonstrating that malicious agent skills can actively bias LLM coding agents to use attacker-controlled packages, posing a significa…

The paper conducts an empirical evaluation of automated vulnerability detection tools across multiple software ecosystems using a curated ground-truth dataset derived from OSV, highlighting systematic…

TitanCA presents a novel, multi-agent LLM orchestration framework that significantly improves vulnerability discovery by reducing false positives and identifying numerous zero-day vulnerabilities.

This paper analyzes high-impact Web3 security incidents to show that most losses stem from off-chain organizational and operational failures, not just smart contract bugs.

This experience report details the process and developer perceptions of integrating log-based fraud detection into an Agile workflow, providing practical best practices for embedding security analytic…

The paper argues that the near-term impact of LLM-assisted vulnerability discovery is not simply an increase in zero-day volume, but a critical bottleneck in defender remediation throughput, shifting…

The paper introduces Semantic Compliance Hijacking (SCH), a novel payload-less attack that exploits LLM agent supply chains by manipulating compliance rules to force unauthorized code generation, achi…