Ivan Pashchenko
YOU?
Author Swipe
View article: Known Vulnerabilities of Open Source Projects: Where Are the Fixes?
Known Vulnerabilities of Open Source Projects: Where Are the Fixes? Open
Every day, developers have the daunting task of tracing vulnerabilities back in a morass of commits. In this article, we report the experience of the industrial open source tool, Prospector, to support developers in this task.
View article: Introduction to the Special Issue on Vulnerabilities
Introduction to the Special Issue on Vulnerabilities Open
Introduction to the Special Issue on VulnerabilitiesVulnerabilities are a fundamental aspect of the field of Digital Threats.How we discover, manage, and reduce the impact of vulnerabilities is as important as the vulnerabilities themselve…
View article: Lightweight Parsing and Slicing for Bug Identification in C
Lightweight Parsing and Slicing for Bug Identification in C Open
Program slicing has been used to semi- or fully-automatically help developers find errors and vulnerabilities in their programs. For example, Dashevskyi et al. (IEEE TSE 2018) introduced a lightweight slicer for Java that can be used for v…
View article: Machine Learning for Source Code Vulnerability Detection: What Works and What Isn’t There Yet
Machine Learning for Source Code Vulnerability Detection: What Works and What Isn’t There Yet Open
We review machine learning approaches for detecting (and correcting) vulnerabilities in source code, finding that the biggest challenges ahead involve agreeing to a benchmark, increasing language and error type coverage, and using pipeline…
View article: Code Analysis Tables for Developers Interviews on Dependencies Paper
Code Analysis Tables for Developers Interviews on Dependencies Paper Open
Code Analysis Tables for the ACM CCS 2020 paper "A qualitative study of dependency management and its security implications"
View article: Code Analysis Tables for Developers Interviews on Dependencies Paper
Code Analysis Tables for Developers Interviews on Dependencies Paper Open
Code Analysis Tables for the ACM CCS 2020 paper "A qualitative study of dependency management and its security implications"
View article: Code Analysis Tables for Developers Interviews on Dependencies Paper
Code Analysis Tables for Developers Interviews on Dependencies Paper Open
Code Analysis Tables for the ACM CCS 2020 paper "A qualitative study of dependency management and its security implications"
View article: TaintBench: Automatic real-world malware benchmarking of Android taint analyses
TaintBench: Automatic real-world malware benchmarking of Android taint analyses Open
Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details …
View article: LastPyMile: identifying the discrepancy between sources and packages
LastPyMile: identifying the discrepancy between sources and packages Open
Open source packages have source code available on repositories for inspection (e.g. on GitHub) but developers use pre-built packages directly from the package repositories (such as npm for JavaScript, PyPI for Python, or RubyGems for Ruby…
View article: LastPyMile Replication Package
LastPyMile Replication Package Open
Replication package for the ESEC/FSE 2021 paper "LastPyMile: Identifying the discrepancy between sources and packages"
View article: Please hold on: more time = more patches? Automated program repair as anytime algorithms
Please hold on: more time = more patches? Automated program repair as anytime algorithms Open
Current evaluations of automatic program repair (APR) techniques focus on tools' effectiveness, while little is known about the practical aspects of using APR tools, such as how long one should wait for a tool to generate a bug fix. In thi…
View article: Secure Software Development in the Era of Fluid Multi-party Open Software and Services
Secure Software Development in the Era of Fluid Multi-party Open Software and Services Open
Pushed by market forces, software development has become fast-paced. As a consequence, modern development projects are assembled from 3rd-party components. Security & privacy assurance techniques once designed for large, controlled updates…
View article: Technical Leverage: Dependencies Are a Mixed Blessing
Technical Leverage: Dependencies Are a Mixed Blessing Open
One year ago, Mack and Schroer captured in this column1 the current crisis faced by software security quality control.
View article: Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks
Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks Open
In finance, leverage is the ratio between assets borrowed from others and one's own assets. A matching situation is present in software: by using free open-source software (FOSS) libraries a developer leverages on other people's code to mu…
View article: Technical Leverage in a Software Ecosystem: Development Opportunities\n and Security Risks
Technical Leverage in a Software Ecosystem: Development Opportunities\n and Security Risks Open
In finance, leverage is the ratio between assets borrowed from others and\none's own assets. A matching situation is present in software: by using free\nopen-source software (FOSS) libraries a developer leverages on other people's\ncode to…
View article: Secure Software Development in the Era of Fluid Multi-party Open\n Software and Services
Secure Software Development in the Era of Fluid Multi-party Open\n Software and Services Open
Pushed by market forces, software development has become fast-paced. As a\nconsequence, modern development projects are assembled from 3rd-party\ncomponents. Security & privacy assurance techniques once designed for large,\ncontrolled upda…
View article: Secure Software Development in the Era of Fluid Multi-party Open Software and Services
Secure Software Development in the Era of Fluid Multi-party Open Software and Services Open
Pushed by market forces, software development has become fast-paced. As a consequence, modern development projects are assembled from 3rd-party components. Security & privacy assurance techniques once designed for large, controlled updates…
View article: Large-Scale Manual Validation of Bug Fixing Commits: A Fine-grained Analysis of Tangling.
Large-Scale Manual Validation of Bug Fixing Commits: A Fine-grained Analysis of Tangling. Open
Context: Tangled commits are changes to software that address multiple concerns at once. For researchers interested in bugs, tangled commits mean that they actually study not only bugs, but also other concerns irrelevant for the study of b…
View article: A Qualitative Study of Dependency Management and Its Security Implications
A Qualitative Study of Dependency Management and Its Security Implications Open
Several large scale studies on the Maven, NPM, and Android ecosystems point out that many developers do not often update their vulnerable software libraries thus exposing the user of their code to security risks. The purpose of this study …
View article: Towards Using Source Code Repositories to Identify Software Supply Chain Attacks
Towards Using Source Code Repositories to Identify Software Supply Chain Attacks Open
Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems, makes them an attractive target for software supply chain attacks. By injecting malicious code into legitimate packages, attackers were known to gain m…
View article: Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies
Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies Open
Vulnerable dependencies are a known problem in today's free open-source software ecosystems because FOSS libraries are highly interconnected, and developers do not always update their dependencies. Our paper proposes Vuln4Real, the methodo…
View article: Typosquatting and Combosquatting Attacks on the Python Ecosystem
Typosquatting and Combosquatting Attacks on the Python Ecosystem Open
Limited automated controls integrated into the Python Package Index (PyPI) package uploading process make PyPI an attractive target for attackers to trick developers into using malicious packages. Several times this goal has been achieved …
View article: Preliminary findings on FOSS dependencies and security
Preliminary findings on FOSS dependencies and security Open
Developers are known to keep third-party dependencies of their projects outdated even if some of them are affected by known vulnerabilities. In this study we aim to understand why they do so. For this, we conducted 25 semi-structured inter…
View article: Vulnerable open source dependencies
Vulnerable open source dependencies Open
Background: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies.
View article: Vulnerable Open Source Dependencies: Counting Those That Matter
Vulnerable Open Source Dependencies: Counting Those That Matter Open
BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to presen…