2025 Workshop Agenda

All times are in National Standard Time observed in Taiwan.

Opening Remarks and Best Paper Award (09:00)

PC Chairs

Keynote 1 (09:20)

A perspective on the history of software supply chain security and how we should shape the future

Speaker: Justin Cappos

Abstract

Software supply chain security has gone from a niche concern which few understood to a critical need for most organizations. This talk presents lessons learned from two decades of experience from the perspective of a software supply chain tool builder with a variety of successes and failures in the space. Working in this space is a constant battle to understand adopter problems and motivations, find the maximally secure solutions that are deployable, and work to have tooling ready (and battle tested) when the next big attack hits. The talk closes with a call to action to help address some of the most pressing issues today, including how our community can grow over the coming decades while protecting itself from the failure modes seen in other academic communities.

About Justin Cappos

Justin Cappos is a professor in the Computer Science and Engineering Department at New York University. He is a creator of a variety of widely used software supply chain technologies, including TUF, Uptane, gittuf, SBOMit, and in-toto. Working with his collaborators, he has also contributed to Git, Reproducible Builds, major Linux package managers, popular programming language ecosystems, legal repositories, automobiles, and more. Due to the depth and breadth of these contributions—along with, perhaps, a few gray hairs—he is, to his surprise, sometimes given the moniker “father of software supply chain security.”

Break (10:20)

Technical Session 1: Attacks and Defenses

Session Chair: TBA

Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order

Frank Reyes (KTH Royal Institute of Technology), Federico Bono (KTH Royal Institute of Technology), Aman Sharma (KTH Royal Institute of Technology), Benoit Baudry (Université de Montréal), Martin Monperrus (KTH Royal Institute of Technology)

From Hardware to Artifact: Trusted Software Builds with Remote Attestation

Behnaz Hassanshahi (Oracle), Rohan Kollambalath (Oracle), Trong Nhan Mai (Oracle), Jagannathan Raman (Oracle), Ian Chin Wang (Oracle)

Aggregating Security Measures from the Dependency Tree

Sarah Elder (North Carolina State University), Alex Klevans (North Carolina State University), Ranindya Paramitha (North Carolina State University), Marcelo d’Amorim (North Carolina State University), Laurie Williams (North Carolina State University)

Lunch (11:50)

Technical Session 2: Measuring Security Phenomena

Session Chair: TBA

Stepping out of Bounds: Security Impact of Allowing Packages on npm to Declare External Dependencies

Dominic Tassio (University of Kansas), Elizabeth Wyss (University of Kansas), Gael Salazar-Morales (University of Kansas), Lorenzo De Carli (University of Calgary), Drew Davidson (University of Kansas)

Spilling the Tea: Uncovering TEA Token Abuse in npm

Elizabeth Wyss (University of Kansas), Lorenzo De Carli (University of Calgary), Drew Davidson (University of Kansas)

ORCA: Unveiling Obscure Containers In The Wild

Jacopo Bufalino (Aalto University, CNAM), Agathe Blaise (Thales), Stefano Secci (CNAM)

Break (14:15)

Keynote 2 (14:25)

Speaker: TBA

Technical Session 3: Best Practices and Baselines

Session Chair: TBA

A Soundness and Precision Benchmark for Java Debloating Tools

Jonas Klauke (Paderborn University), Tom Ohlmer (Paderborn University), Stefan Schott (Paderborn University), Serena Elisa Ponta (SAP Labs), Wolfram Fischer (SAP Labs), Eric Bodden (University of Paderborn)

Establishing a Baseline of Software Supply Chain Security Task Adoption by Software Organizations

Laurie Williams (North Carolina State University), Sammy Migues (Imbricate Security)

Measuring Enterprise Software Supply Chain Security using Public Repositories

Dima Kashchuk (University of Tulsa), Tyler Moore (University of Tulsa)

Closing Remarks (16:50)