{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T06:45:02Z","timestamp":1769755502996,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":57,"publisher":"ACM","funder":[{"name":"US National Science Foundation","award":["2207008"],"award-info":[{"award-number":["2207008"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,6,23]]},"DOI":"10.1145\/3696630.3734200","type":"proceedings-article","created":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:09:27Z","timestamp":1753729767000},"page":"18-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Can the Rising Tide of Software Supply Chain Attacks Raise All Software Engineering Boats?"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3300-6540","authenticated-orcid":false,"given":"Laurie","family":"Williams","sequence":"first","affiliation":[{"name":"North Carolina State University, Raleigh, NC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-8381-1436","authenticated-orcid":false,"given":"Sivana","family":"Hamer","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, NC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2738-4118","authenticated-orcid":false,"given":"Nusrat","family":"Zahan","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, NC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,7,28]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Building Maturity In Maturity Model (BSIMM). https:\/\/www.blackduck.com\/services\/security-program\/bsimm-maturity-model.html","author":"Black Duck","year":"2025","unstructured":"Black Duck. Building Maturity In Maturity Model (BSIMM). https:\/\/www.blackduck.com\/services\/security-program\/bsimm-maturity-model.html (2025)."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"crossref","unstructured":"Boehm M. Carter H. and Osborne C. Pathways to cybersecurity best practices in open source: How the civil infrastructure platform yocto project and zephyr project are closing the gap to meeting the requirements of the cyber resilience act 2025.","DOI":"10.70828\/UPDC4713"},{"key":"e_1_3_2_1_3_1","first-page":"295","volume-title":"Cyber defense and situational awareness","author":"Cheng Y.","year":"2014","unstructured":"Cheng, Y., Deng, J., Li, J., DeLoach, S. A., Singhal, A., and Ou, X. Metrics of security. In Cyber defense and situational awareness. Springer, 2014, pp. 263\u2013295."},{"key":"e_1_3_2_1_4_1","volume-title":"Software supply chain best practices v2. https:\/\/tag-security.cncf.io\/blog\/software-supply-chain-security-best-practices-v2\/","author":"Cloud Native Computing Foundation","year":"2024","unstructured":"Cloud Native Computing Foundation. Software supply chain best practices v2. https:\/\/tag-security.cncf.io\/blog\/software-supply-chain-security-best-practices-v2\/ (2024)."},{"key":"e_1_3_2_1_5_1","author":"Cyber Safety Review Board","year":"2021","unstructured":"Cyber Safety Review Board. Review of the December 2021 Log4j Event. https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/CSRB-Report-on-Log4-July-11-2022_508.pdf, 2022.","journal-title":"Review of the"},{"key":"e_1_3_2_1_6_1","unstructured":"Cybersecurity and Infrastructure Security Agency. Joint Statement by the Federal Bureau of Investigation (FBI) the Cybersecurity and Infrastructure Security Agency (CISA) the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA). https:\/\/www.cisa.gov\/news-events\/news\/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure-security-agency-0 2021."},{"key":"e_1_3_2_1_7_1","volume-title":"Secure publication of datadog agent integrations with tuf and in-toto. https:\/\/www.datadoghq.com\/blog\/engineering\/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto\/","author":"Datadog Engineering","year":"2023","unstructured":"Datadog Engineering. Secure publication of datadog agent integrations with tuf and in-toto. https:\/\/www.datadoghq.com\/blog\/engineering\/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto\/ (2023)."},{"key":"e_1_3_2_1_8_1","volume-title":"Secure software development attestation form","author":"Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).","year":"2024","unstructured":"Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). Secure software development attestation form, 2024."},{"key":"e_1_3_2_1_9_1","first-page":"505","volume-title":"2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)","author":"Dunlap T.","year":"2023","unstructured":"Dunlap, T., Thorn, S., Enck, W., and Reaves, B. Finding fixed vulnerabilities with off-the-shelf static analysis. In 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P) (2023), pp. 489\u2013505."},{"key":"e_1_3_2_1_10_1","volume-title":"The protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation)","author":"European Union","year":"2016","unstructured":"European Union. The protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation), 2016."},{"key":"e_1_3_2_1_11_1","volume-title":"Horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168\/2013 and (EU) No 2019\/1020 and Directive (EU) 2020\/1828 (Cyber Resilience Act)","author":"European Union","year":"2024","unstructured":"European Union. Horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168\/2013 and (EU) No 2019\/1020 and Directive (EU) 2020\/1828 (Cyber Resilience Act), 2024."},{"key":"e_1_3_2_1_12_1","unstructured":"FireEye. Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor 2020."},{"key":"e_1_3_2_1_13_1","volume-title":"March 29","author":"Freund A.","year":"2024","unstructured":"Freund, A. backdoor in upstream xz\/liblzma leading to ssh server compromise. https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4, March 29, 2024."},{"key":"e_1_3_2_1_14_1","volume-title":"Log4j, or XZ Utils. arXiv preprint arXiv:2503.12192","author":"Hamer S.","year":"2025","unstructured":"Hamer, S., Bowen, J., Haqe, M. N., Hines, R., Madden, C., and Williams, L. Closing the Chain: How to reduce your risk of being SolarWinds, Log4j, or XZ Utils. arXiv preprint arXiv:2503.12192 (2025)."},{"key":"e_1_3_2_1_15_1","first-page":"37","volume-title":"Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","author":"Hassanshahi B.","year":"2023","unstructured":"Hassanshahi, B., Mai, T. N., Michael, A., Selwyn-Smith, B., Bates, S., and Krishnan, P. Macaron: A logic-based framework for software supply chain security assurance. In Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (2023), pp. 29\u201337."},{"key":"e_1_3_2_1_16_1","volume-title":"March 29","author":"Hat R.","year":"2024","unstructured":"Hat, R. Urgent security alert for fedora linux 40 and fedora rawhide users. https:\/\/www.redhat.com\/en\/blog\/urgent-security-alert-fedora-40-and-rawhide-users, March 29, 2024."},{"key":"e_1_3_2_1_17_1","unstructured":"Kubernetes and IBM. Building an image trust service on kubernetes with notary and tuf. https:\/\/kubernetes.io\/case-studies\/ibm\/ n.d. Accessed: 2024-09-26."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","DOI":"10.70828\/TWBS3885","volume-title":"Unaware and uncertain: The stark realities of cyber resilience act readiness in open source","author":"Lawson A.","year":"2025","unstructured":"Lawson, A., and Hendrick, S. Unaware and uncertain: The stark realities of cyber resilience act readiness in open source, 2025."},{"key":"e_1_3_2_1_19_1","first-page":"213","volume-title":"Proceedings of the 32nd annual conference on computer security applications","author":"Li Z.","year":"2016","unstructured":"Li, Z., Zou, D., Xu, S., Jin, H., Qi, H., and Hu, J. Vulpecker: an automated vulnerability detection system based on code similarity analysis. In Proceedings of the 32nd annual conference on computer security applications (2016), pp. 201\u2013213."},{"key":"e_1_3_2_1_20_1","volume-title":"Open source project security baseline. https:\/\/github.com\/ossf\/security-baseline","author":"Linux Foundation","year":"2021","unstructured":"Linux Foundation. Open source project security baseline. https:\/\/github.com\/ossf\/security-baseline (2021)."},{"key":"e_1_3_2_1_21_1","volume-title":"Apache log4j security vulnerabilities","author":"Log J.","year":"2021","unstructured":"Log4J. Apache log4j security vulnerabilities, 2021."},{"key":"e_1_3_2_1_22_1","volume-title":"https:\/\/attack.mitre.org\/","year":"2024","unstructured":"MITRE. MITRE ATT&CK. https:\/\/attack.mitre.org\/, 2024."},{"key":"e_1_3_2_1_23_1","volume-title":"Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings. https:\/\/nvlpubs.nist.gov\/nistpubs\/ir\/2024\/NIST.IR.8477.pdf","author":"National Institute of Standards and Technology.","year":"2024","unstructured":"National Institute of Standards and Technology. NIST IR 8477 Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings. https:\/\/nvlpubs.nist.gov\/nistpubs\/ir\/2024\/NIST.IR.8477.pdf, 2024."},{"key":"e_1_3_2_1_24_1","first-page":"2367","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","author":"Newman Z.","year":"2022","unstructured":"Newman, Z., Meyers, J. S., and Torres-Arias, S. Sigstore: Software signing for everybody. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (2022), pp. 2353\u20132367."},{"key":"e_1_3_2_1_25_1","first-page":"62","volume-title":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","author":"Nguyen-Truong G.","year":"2022","unstructured":"Nguyen-Truong, G., Kang, H. J., Lo, D., Sharma, A., Santosa, A. E., Sharma, A., and Ang, M. Y. Hermes: Using commit-issue linking to detect vulnerability-fixing commits. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) (2022), IEEE, pp. 51\u201362."},{"key":"e_1_3_2_1_26_1","volume-title":"https:\/\/csrc.nist.gov\/projects\/ssdf","author":"Secure Software Development Framework","year":"2022","unstructured":"NIST. Secure Software Development Framework (SSDF). https:\/\/csrc.nist.gov\/projects\/ssdf (2022). Accessed: February 21, 2025."},{"key":"e_1_3_2_1_27_1","volume-title":"Accessed","author":"Security Controls NIST","year":"2024","unstructured":"NIST. Security Controls - NIST Glossary, 2024. Accessed: February 19, 2025."},{"key":"e_1_3_2_1_28_1","volume-title":"SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-161r1-upd1.pdf","author":"NIST.","year":"2024","unstructured":"NIST. SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-161r1-upd1.pdf (2024)."},{"key":"e_1_3_2_1_29_1","volume-title":"Openssf: Open source security foundation","author":"Open Source Security Foundation","year":"2024","unstructured":"Open Source Security Foundation. Openssf: Open source security foundation, 2024. Accessed: 2025-04-24."},{"key":"e_1_3_2_1_30_1","volume-title":"Software Supply Chain Consumption Framework (S3C2F). https:\/\/github.com\/ossf\/s2c2f","author":"Open SSF","year":"2022","unstructured":"OpenSSF. Software Supply Chain Consumption Framework (S3C2F). https:\/\/github.com\/ossf\/s2c2f (2022)."},{"key":"e_1_3_2_1_31_1","volume-title":"Supply chain Levels for Software Artifacts (SLSA). https:\/\/slsa.dev\/","author":"Open SSF","year":"2022","unstructured":"OpenSSF. Supply chain Levels for Software Artifacts (SLSA). https:\/\/slsa.dev\/ (2022)."},{"key":"e_1_3_2_1_32_1","volume-title":"OpenSSF Scorecard - Security health metrics for Open Source","author":"Open SSF","year":"2025","unstructured":"OpenSSF. OpenSSF Scorecard - Security health metrics for Open Source, 2025."},{"key":"e_1_3_2_1_33_1","unstructured":"OpenSSF. Repository service for tuf (rstuf). https:\/\/openssf.org\/projects\/repository-service-for-tuf\/ n.d. Accessed: 2024-09-26."},{"key":"e_1_3_2_1_34_1","volume-title":"Software Component Verification Standard (SCVS). https:\/\/owasp-scvs.gitbook.io\/scvs\/","author":"OWASP.","year":"2020","unstructured":"OWASP. Software Component Verification Standard (SCVS). https:\/\/owasp-scvs.gitbook.io\/scvs\/ (2020)."},{"key":"e_1_3_2_1_35_1","volume-title":"Characterizing dependency update practice of npm, pypi and cargo packages. arXiv preprint arXiv:2403.17382","author":"Rahman I.","year":"2024","unstructured":"Rahman, I., Zahan, N., Magill, S., Enck, W., and Williams, L. Characterizing dependency update practice of npm, pypi and cargo packages. arXiv preprint arXiv:2403.17382 (2024)."},{"key":"e_1_3_2_1_36_1","volume-title":"Timeline of the xz open source attack. https:\/\/research.swtch.com\/xz-timeline","author":"Russ Cox","year":"2024","unstructured":"Russ Cox. Timeline of the xz open source attack. https:\/\/research.swtch.com\/xz-timeline, 2024."},{"key":"e_1_3_2_1_37_1","first-page":"582","volume-title":"2018 IEEE International conference on software maintenance and evolution (ICSME)","author":"Sabetta A.","year":"2018","unstructured":"Sabetta, A., and Bezzi, M. A practical approach to the automatic classification of security-relevant commits. In 2018 IEEE International conference on software maintenance and evolution (ICSME) (2018), IEEE, pp. 579\u2013582."},{"key":"e_1_3_2_1_38_1","first-page":"66","volume-title":"Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","author":"Sammak R.","year":"2023","unstructured":"Sammak, R., Rotthaler, A. L., Ramulu, H. S., Wermke, D., and Acar, Y. Developers' approaches to software supply chain security: An interview study. In Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (2023), pp. 56\u201366."},{"key":"e_1_3_2_1_39_1","first-page":"72","volume-title":"Proceedings of the 17th ACM conference on Computer and communications security","author":"Samuel J.","year":"2010","unstructured":"Samuel, J., Mathewson, N., Cappos, J., and Dingledine, R. Survivable key compromise in software update systems. In Proceedings of the 17th ACM conference on Computer and communications security (2010), pp. 61\u201372."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1111\/risa.13309","article-title":"Risk and the five hard problems of cybersecurity","volume":"39","author":"Scala N. M.","year":"2019","unstructured":"Scala, N. M., Reilly, A. C., Goethals, P. L., and Cukier, M. Risk and the five hard problems of cybersecurity. Risk Analysis 39, 10 (2019), 2119\u20132126.","journal-title":"Risk Analysis"},{"key":"e_1_3_2_1_41_1","volume-title":"SolarWinds Security Advisory. https:\/\/www.solarwinds.com\/sa-overview\/securityadvisory","author":"SolarWinds","year":"2021","unstructured":"SolarWinds. SolarWinds Security Advisory. https:\/\/www.solarwinds.com\/sa-overview\/securityadvisory, 2021."},{"key":"e_1_3_2_1_42_1","volume-title":"State of the software supply chain: A decade of data","author":"Sonatype","year":"2024","unstructured":"Sonatype. State of the software supply chain: A decade of data, 2024."},{"key":"e_1_3_2_1_43_1","volume-title":"Pep 458 - secure pypi downloads with tuf. https:\/\/peps.python.org\/pep-0458\/#pypi-and-tuf-metadata","author":"Stufft D.","year":"2014","unstructured":"Stufft, D., Cappos, J., and Kuppusamy, T. K. Pep 458 - secure pypi downloads with tuf. https:\/\/peps.python.org\/pep-0458\/#pypi-and-tuf-metadata, 2014. Accessed: 2024-09-26."},{"key":"e_1_3_2_1_44_1","first-page":"1410","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Torres-Arias S.","year":"2019","unstructured":"Torres-Arias, S., Afzali, H., Kuppusamy, T. K., Curtmola, R., and Cappos, J. in-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19) (2019), pp. 1393\u20131410."},{"key":"e_1_3_2_1_45_1","first-page":"492","volume-title":"2019 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN)","author":"Wang X.","year":"2019","unstructured":"Wang, X., Sun, K., Batcheller, A., and Jajodia, S. Detecting\" 0-day\" vulnerability: An empirical study of secret security patch in oss. In 2019 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN) (2019), IEEE, pp. 485\u2013492."},{"key":"e_1_3_2_1_46_1","volume-title":"Executive order 14028 on improving the nation's cybersecurity. https:\/\/www.federalregister.gov\/documents\/2021\/05\/17\/2021-10460\/improving-the-nations-cybersecurity","author":"White House","year":"2021","unstructured":"White House. Executive order 14028 on improving the nation's cybersecurity. https:\/\/www.federalregister.gov\/documents\/2021\/05\/17\/2021-10460\/improving-the-nations-cybersecurity (2021)."},{"key":"e_1_3_2_1_47_1","volume-title":"Federal Cybersecurity Research and Development Strategic Plan","author":"White House","year":"2023","unstructured":"White House. Federal Cybersecurity Research and Development Strategic Plan 2023. https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2024\/01\/Federal-Cybersecurity-RD-Strategic-Plan-2023.pdf (2023)."},{"key":"e_1_3_2_1_48_1","volume-title":"BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE. https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2024\/02\/Final-ONCD-Technical-Report.pdf","author":"White House","year":"2024","unstructured":"White House. BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE. https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2024\/02\/Final-ONCD-Technical-Report.pdf (2024)."},{"key":"e_1_3_2_1_49_1","volume-title":"January 16","author":"White House","year":"2025","unstructured":"White House. Executive order 14144 on strengthening and promoting innovation in the nation's cybersecurity, January 16 2025. Accessed: 2025-04-28."},{"key":"e_1_3_2_1_50_1","volume-title":"Research directions in software supply chain security. ACM Trans. Softw. Eng. Methodol. (Jan","author":"Williams L.","year":"2025","unstructured":"Williams, L., Benedetti, G., Hamer, S., Paramitha, R., Rahman, I., Tamanna, M., Tystahl, G., Zahan, N., Morrison, P., Acar, Y., Cukier, M., K\u00e4stner, C., Kapravelos, A., Wermke, D., and Enck, W. Research directions in software supply chain security. ACM Trans. Softw. Eng. Methodol. (Jan. 2025). Just Accepted."},{"key":"e_1_3_2_1_51_1","volume-title":"Proactive Software Supply Chain Risk Management Framework (P-SSCRM) Version 1. https:\/\/arxiv.org\/pdf\/2404.12300","author":"Williams L.","year":"2024","unstructured":"Williams, L., Migues, S., Boote, J., and Hutchison, B. Proactive Software Supply Chain Risk Management Framework (P-SSCRM) Version 1. https:\/\/arxiv.org\/pdf\/2404.12300 (2024)."},{"key":"e_1_3_2_1_52_1","first-page":"472","volume-title":"2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE)","author":"Xu Z.","year":"2017","unstructured":"Xu, Z., Chen, B., Chandramohan, M., Liu, Y., and Song, F. Spain: security patch analysis for binaries towards understanding the pain and pills. In 2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE) (2017), IEEE, pp. 462\u2013472."},{"key":"e_1_3_2_1_53_1","volume-title":"M-22-18 enhancing the security of the software supply chain through secure software development practices. https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2022\/09\/M-22-18.pdf","author":"Young S. D.","year":"2022","unstructured":"Young, S. D. M-22-18 enhancing the security of the software supply chain through secure software development practices. https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2022\/09\/M-22-18.pdf (2022)."},{"key":"e_1_3_2_1_54_1","unstructured":"Young S. D. M-23-16 update to memorandum m-22-18 enhancing the security of the software supply chain through secure software development practices. https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2023\/06\/M-23-16-Update-to-M-22-18-Enhancing-Software-Security.pdf (June 9 2023)."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1109\/MSEC.2023.3279773","article-title":"Openssf scorecard: On the path toward ecosystem-wide automated security metrics","volume":"21","author":"Zahan N.","year":"2023","unstructured":"Zahan, N., Kanakiya, P., Hambleton, B., Shohan, S., and Williams, L. Openssf scorecard: On the path toward ecosystem-wide automated security metrics. IEEE Security & Privacy 21, 6 (2023), 76\u201388.","journal-title":"IEEE Security & Privacy"},{"key":"e_1_3_2_1_56_1","first-page":"303","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)","author":"Zahan N.","year":"2023","unstructured":"Zahan, N., Shohan, S., Harris, D., and Williams, L. Do software security practices yield fewer vulnerabilities? In 2023 IEEE\/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP) (2023), IEEE, pp. 292\u2013303."},{"key":"e_1_3_2_1_57_1","volume-title":"Prioritizing security practice adoption: Empirical insights on software security outcomes in the npm ecosystem. arXiv preprint arXiv:2504.14026","author":"Zahan N.","year":"2025","unstructured":"Zahan, N., and Williams, L. Prioritizing security practice adoption: Empirical insights on software security outcomes in the npm ecosystem. arXiv preprint arXiv:2504.14026 (2025)."}],"event":{"name":"FSE Companion '25: 33rd ACM International Conference on the Foundations of Software Engineering","location":"Clarion Hotel Trondheim Trondheim Norway","acronym":"FSE Companion '25","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696630.3734200","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:10:44Z","timestamp":1753729844000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696630.3734200"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,23]]},"references-count":57,"alternative-id":["10.1145\/3696630.3734200","10.1145\/3696630"],"URL":"https:\/\/doi.org\/10.1145\/3696630.3734200","relation":{},"subject":[],"published":{"date-parts":[[2025,6,23]]},"assertion":[{"value":"2025-07-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}