2025 Workshop Agenda
All times are in National Standard Time observed in Taiwan.
Opening Remarks and Best Paper Award (09:00)
PC Chairs
Keynote 1 (09:20)
A perspective on the history of software supply chain security and how we should shape the future
Speaker: Justin Cappos
Abstract
Software supply chain security has gone from a niche concern which few understood to a critical need for most organizations. This talk presents lessons learned from two decades of experience from the perspective of a software supply chain tool builder with a variety of successes and failures in the space. Working in this space is a constant battle to understand adopter problems and motivations, find the maximally secure solutions that are deployable, and work to have tooling ready (and battle tested) when the next big attack hits. The talk closes with a call to action to help address some of the most pressing issues today, including how our community can grow over the coming decades while protecting itself from the failure modes seen in other academic communities.
About Justin Cappos
Justin Cappos is a professor in the Computer Science and Engineering Department at New York University. He is a creator of a variety of widely used software supply chain technologies, including TUF, Uptane, gittuf, SBOMit, and in-toto. Working with his collaborators, he has also contributed to Git, Reproducible Builds, major Linux package managers, popular programming language ecosystems, legal repositories, automobiles, and more. Due to the depth and breadth of these contributions—along with, perhaps, a few gray hairs—he is, to his surprise, sometimes given the moniker “father of software supply chain security.”
Break (10:20)
Technical Session 1: Attacks and Defenses
Session Chair: TBA
Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order
Frank Reyes (KTH Royal Institute of Technology), Federico Bono (KTH Royal Institute of Technology), Aman Sharma (KTH Royal Institute of Technology), Benoit Baudry (Université de Montréal), Martin Monperrus (KTH Royal Institute of Technology)
From Hardware to Artifact: Trusted Software Builds with Remote Attestation
Behnaz Hassanshahi (Oracle), Rohan Kollambalath (Oracle), Trong Nhan Mai (Oracle), Jagannathan Raman (Oracle), Ian Chin Wang (Oracle)
Aggregating Security Measures from the Dependency Tree
Sarah Elder (North Carolina State University), Alex Klevans (North Carolina State University), Ranindya Paramitha (North Carolina State University), Marcelo d’Amorim (North Carolina State University), Laurie Williams (North Carolina State University)
Lunch (11:50)
Technical Session 2: Measuring Security Phenomena
Session Chair: TBA
Stepping out of Bounds: Security Impact of Allowing Packages on npm to Declare External Dependencies
Dominic Tassio (University of Kansas), Elizabeth Wyss (University of Kansas), Gael Salazar-Morales (University of Kansas), Lorenzo De Carli (University of Calgary), Drew Davidson (University of Kansas)
Spilling the Tea: Uncovering TEA Token Abuse in npm
Elizabeth Wyss (University of Kansas), Lorenzo De Carli (University of Calgary), Drew Davidson (University of Kansas)
ORCA: Unveiling Obscure Containers In The Wild
Jacopo Bufalino (Aalto University, CNAM), Agathe Blaise (Thales), Stefano Secci (CNAM)
Break (14:15)
Keynote 2 (14:25)
Speaker: TBA
Technical Session 3: Best Practices and Baselines
Session Chair: TBA
A Soundness and Precision Benchmark for Java Debloating Tools
Jonas Klauke (Paderborn University), Tom Ohlmer (Paderborn University), Stefan Schott (Paderborn University), Serena Elisa Ponta (SAP Labs), Wolfram Fischer (SAP Labs), Eric Bodden (University of Paderborn)
Establishing a Baseline of Software Supply Chain Security Task Adoption by Software Organizations
Laurie Williams (North Carolina State University), Sammy Migues (Imbricate Security)
Measuring Enterprise Software Supply Chain Security using Public Repositories
Dima Kashchuk (University of Tulsa), Tyler Moore (University of Tulsa)