2025 Workshop Agenda

All times are in National Standard Time observed in Taiwan.

Opening Remarks and Best Paper Award (09:00)

PC Chairs

Keynote 1 (09:20)

How to trust code we run

Speaker: Nicole Bates

Abstract

This talk examines the urgent challenges facing today’s supply chains, centering on the fundamental question: why should we trust the code we run? Through a demonstration of an end-to-end supply chain model workflow—including signing and transparently publishing an AI model manifest—the talk illustrates how transparency mechanisms can strengthen trust, accountability, integrity and security across the supply chain.

The session also highlights emerging industry standards that underpin traceability, interoperability, and compliance, which are essential for effective risk management. Attendees will gain practical insights into how these evolving frameworks are shaping the future of secure supply chain practices.

About Nicole Bates

Nicole Bates works in Microsoft’s Azure Office of the CTO where she focuses on supply chain security. She is actively involved in the OpenSSF’s Supply Chain Integrity and ORBIT Working Groups and contributes to standards development through the IETF’s Supply Chain Integrity, Transparency and Trust and COSE working groups. She is currently working on an AIBOM tool. Her experience spans over 20 years working in computer security at UC Berkeley, General Dynamics, and Microsoft. While at UC Berkeley’s intrusion detection team, she specialized in computer forensics, analyzing compromised computers and investigating major threats including the Code Red and Nimda worms, building foundational expertise in threat detection and digital investigation that informs her current efforts in supply chain security.

Break (10:20)

Technical Session 1: Attacks and Defenses

Session Chair: Sarah Evans

Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order

Frank Reyes (KTH Royal Institute of Technology), Federico Bono (KTH Royal Institute of Technology), Aman Sharma (KTH Royal Institute of Technology), Benoit Baudry (Université de Montréal), Martin Monperrus (KTH Royal Institute of Technology)

From Hardware to Artifact: Trusted Software Builds with Remote Attestation

Behnaz Hassanshahi (Oracle), Rohan Kollambalath (Oracle), Trong Nhan Mai (Oracle), Jagannathan Raman (Oracle), Ian Chin Wang (Oracle)

Aggregating Security Measures from the Dependency Tree

Sarah Elder (North Carolina State University), Alex Klevans (North Carolina State University), Ranindya Paramitha (North Carolina State University), Marcelo d’Amorim (North Carolina State University), Laurie Williams (North Carolina State University)

Lunch (11:50)

Technical Session 2: Measuring Security Phenomena

Session Chair: Behnaz Hassanshahi

Stepping out of Bounds: Security Impact of Allowing Packages on npm to Declare External Dependencies

Dominic Tassio (University of Kansas), Elizabeth Wyss (University of Kansas), Gael Salazar-Morales (University of Kansas), Lorenzo De Carli (University of Calgary), Drew Davidson (University of Kansas)

Spilling the Tea: Uncovering TEA Token Abuse in npm

Elizabeth Wyss (University of Kansas), Lorenzo De Carli (University of Calgary), Drew Davidson (University of Kansas)

ORCA: Unveiling Obscure Containers In The Wild

Jacopo Bufalino (Aalto University, CNAM), Agathe Blaise (Thales), Stefano Secci (CNAM)

Break (14:15)

Keynote 2 (14:25)

A perspective on the history of software supply chain security and how we should shape the future

Speaker: Justin Cappos

Abstract

Software supply chain security has gone from a niche concern which few understood to a critical need for most organizations. This talk presents lessons learned from two decades of experience from the perspective of a software supply chain tool builder with a variety of successes and failures in the space. Working in this space is a constant battle to understand adopter problems and motivations, find the maximally secure solutions that are deployable, and work to have tooling ready (and battle tested) when the next big attack hits. The talk closes with a call to action to help address some of the most pressing issues today, including how our community can grow over the coming decades while protecting itself from the failure modes seen in other academic communities.

About Justin Cappos

Justin Cappos is a professor in the Computer Science and Engineering Department at New York University. He is a creator of a variety of widely used software supply chain technologies, including TUF, Uptane, gittuf, SBOMit, and in-toto. Working with his collaborators, he has also contributed to Git, Reproducible Builds, major Linux package managers, popular programming language ecosystems, legal repositories, automobiles, and more. Due to the depth and breadth of these contributions—along with, perhaps, a few gray hairs—he is, to his surprise, sometimes given the moniker “father of software supply chain security.”

Technical Session 3: Best Practices and Baselines

Session Chair: Drew Davidson

A Soundness and Precision Benchmark for Java Debloating Tools

Jonas Klauke (Paderborn University), Tom Ohlmer (Paderborn University), Stefan Schott (Paderborn University), Serena Elisa Ponta (SAP Labs), Wolfram Fischer (SAP Labs), Eric Bodden (University of Paderborn)

Establishing a Baseline of Software Supply Chain Security Task Adoption by Software Organizations

Laurie Williams (North Carolina State University), Sammy Migues (Imbricate Security)

Measuring Enterprise Software Supply Chain Security using Public Repositories

Dima Kashchuk (University of Tulsa), Tyler Moore (University of Tulsa)

Closing Remarks (16:50)

SCORED Happy Hour (17:00)

Join us for the SCORED happy hour, sponsored by the CHAINS research group.

Location: TBA