MSR4P&S 2024

2nd International Workshop @ SANER 2024 (Rovaniemi, Finland)

Workshop Theme and Goals

The last decades have put Privacy and Security (P&S) in the spotlight of information technology as data breaches and cyberattacks have spiked globally. Still, P&S are often afterthoughts in software development as their benefits are sometimes difficult to demonstrate and their costs hard to justify. However, such technical debt is becoming hard to sustain as new legal frameworks, such as the EU General Data Protection Regulation (GDPR), demand companies to incorporate P&S features (e.g., transparency, anonymity, and informed consent) at the core of their products. Hence, there is an urgent call for tools and methods supporting the elicitation and deployment of P&S requirements in a by-design approach.

P&S are multifaceted and complex research areas spanning across different knowledge domains (e.g., engineering, law, and psychology). Challenges in P&S cannot be solely addressed from a single discipline as they often involve human factors, technological artefacts, and regulatory/legal frameworks. Particularly, the quest for P&S solutions requires in-deep knowledge and actionable information about its users/stakeholders, vulnerabilities/flaws, and potential attackers.

Mining Software Repositories (MSR) techniques can support this quest by providing means to understand the P&S dimensions of information systems, thus help shaping privacy- and security-friendly software. This workshop aims to explore the application of MSR at the different stages of P&S engineering.

Topics of Interest

We invite MSR researchers and practitioners across multiple disciplines and knowledge backgrounds to submit contributions dealing with the following (or related) topics:

  • MSR applications for security risk assessment
  • MSR applications for privacy requirements engineering
  • MSR applications for security vulnerabilities detection
  • Engineering PETs through MSR methodologies
  • Privacy-Enhancing Technologies through MSR
  • MSR-based research for safety/security by design
  • Privacy-friendly MSRs (including mixed-methods)
  • MSR-based mixed-methods on P&S research
  • Privacy requirements in MSR-based research
  • Integrating MSRs into P&S research (empirical)
  • Analysis of repositories to mine for P&S research
  • Tools supporting MSR-based research for P&S
  • Datasets used for MSR-based research for P&S
  • MSR applications to P&S assurance

Special Topic of Interest

Any paper within the scope of the workshop will be considered. Additionally, this year we especially welcome submissions elaborating on MSR applications for the security and privacy assessment of generative Artificial Intelligence (AI) models (e.g., GPT-3 and GitHub Copilot) and their impact on modern software engineering processes.

Submission Guidelines

Submitted papers must have been neither previously accepted for publication nor concurrently submitted for review in another journal, book, conference, or workshop. All submissions must come in PDF format and conform, at the time of submission, to the IEEE Conference Proceedings Formatting Guidelines: title in 24pt font and full text in 10pt font, LaTEX users must use \textit{$\backslash$documentclass[10pt,conference]{IEEEtran}} without including the \textit{compsoc} or \textit{compsocconf} option. Also, papers must comply with the IEEE Policy on Authorship. All submissions must be in English. Submissions can be of the following types:

  • Regular Papers: Up to 8 pages, including references. Regular papers must describe original contributions in research and/or practice. Although they can be work-in-progress, the authors must present a clear path forward. These will be given a 15-minute presentation during the workshop.
  • Short Papers: Up to 4 pages, including references. Short papers encompass position papers, experience reports, work-in-progress, new trends papers, industrial reports, datasets and tools. These will be given a 7-minutes presentation during the workshop.

The workshop will follow a double-anonymous peer review process in alignment with SANER’s Review Process policies. This means that the papers submitted must not reveal the authors’ identities in any way, omitting the names from the submission and referring to self-citations in the third person. The only exception will be dataset and tools papers, which will employ an optional single-anonymous review process.

All submitted papers will be reviewed regarding technical quality, relevance, significance, and clarity by the program committee. All workshop papers should be submitted electronically in PDF format through the workshop website (IEEE Format, Double Columns). Accepted papers will become part of the workshop proceedings.

Important Dates

The following are submission and workshop dates for all types of submissions:

EVENT DEADLINE
Paper Submission (EXTENDED!) December 20th, 2023 (AoE)
Main Track Author Notification January 10th, 2024
Camera Ready (EXTENDED) January 19th, 2024
Date of Workshop March 12th, 2024

Program Committee

The Organising Committee thanks the following generous individuals below:

Reviewer Organisation Twitter
Federica Paci University of Verona (Italy)
Ali Babar University of Adelaide (Australia)
Diego Costa Concordia University (Canada)
Maura Pintor University of Cagliari (Italy)
Clemente Izurieta Montana State University (USA)
Nan Sun Deakin University (Australia)
Dinusha Vatsalan Macquarie University (Australia)
Antonino Sabetta SAP Security Research (France)
Maxwell Young Mississippi State University (USA)
Mariana Peixoto Federal University of Pernambuco (Brazil)
Kevin Moran George Mason University (USA)
Atefeh Mohseni Ejiyeh University of California (USA)

Workshop Program (12.03.2024 - GMT+2 Time)

TIME TITLE PRESENTER
SESSION 1: Wellcome and Keynote Talk (9:00 - 9:55)
9:00am ➡️ Welcome Message and Opening Remarks Nicolas E. Diaz Ferreyra
9:05am 🎯 Assessing the Scalability of Microservice Architectures Andrea Janes
SESSION 2: Threats and Risk Assessment (9:55 - 10:30)
9:55am 📝 W1: Assessing Security Risks of Software Supply Chains Using Software Bill of Materials Eric O’Donoghue
10:15am 📝 W2: Finding a Needle in a Haystack: Threat Analysis in Open-Source Projects Bernd Gruner
10:30am ☕ COFFEE BREAK
SESSION 3: Privacy and Security Analysis (11:00 - 12:15)
11:00am 📝 W3: Managing Security Vulnerabilities Introduced by Third-Party Dependencies in JavaScript Applications Anastasia Terzi
11:20pm 📝 W4: Automating Static Code Analysis Through CI/CD Pipeline Integration Zachary Wadhams
11:40am 📝 W5: Finding Privacy-Relevant Source Code Bjarte M. Østvold
12:00pm ➡️ Closing Remarks, End of MSR4P&S Nicolas E. Diaz Ferreyra

Keynote: Assessing the Scalability of Microservice Architectures

Microservices have emerged as an architectural style for developing maintainable and scalable applications. Assessing the performance of architecture deployment configurations — e.g., with respect to deployment alternatives — is challenging and must be aligned with the system usage in the production environment. In this talk I present an approach for using operational profiles to generate load tests to automatically assess scalability pass/fail criteria of microservice configuration alternatives. The approach provides a domain-based metric for each alternative that can, for instance, be applied to make informed decisions about the selection of alternatives and to conduct production monitoring regarding performance-related system properties, e.g., anomaly detection. We have evaluated our approach using extensive experiments in a large bare metal host environment and a virtualized environment. The talk with briefly introduce the concept of microservices, present the deployment approach and the evaluation approach based on the open source tool locust.io; it will present the tool PPTAM used to conduct the experiments and the performed data analysis.

Dr. Andrea Janes is an associate professor at the Free University of Bozen/Bolzano. He was previously a senior lecturer and researcher at the FHV Vorarlberg University of Applied Sciences in Dornbirn, Austria, and a researcher at the Free University of Bozen/Bolzano, Italy. He received his master’s degree in computer science from the Technical University of Vienna, Austria and the doctorate in computer science (with distinction) from the University of Klagenfurt (Austria). He holds a Master’s degree in Business Informatics from the Vienna University of Technology and a PhD in Computer Science (with honors) from the University of Klagenfurt, Austria. He obtained the habilitation in Computer Science and Information processing systems. He is particularly interested in Lean and Agile approaches to software engineering, value-based software engineering, empirical software engineering, software testing, and technology transfer.

Accepted Papers

# Authors Paper Title Paper Lenght
W1 Eric O’Donoghue, Ann Marie Reinhold and Clemente Izurieta Assessing Security Risks of Software Supply Chains Using Software Bill of Materials full paper
W2 Bernd Gruner, Sebastian Thomas Heckner, Tim Sonnekalb, Badr-Eddine Bouhlal and Clemens-Alexander Brust Finding a Needle in a Haystack: Threat Analysis in Open-Source Projects short paper
W3 Anastasia Terzi and Matina Bibi Managing Security Vulnerabilities Introduced by Third-Party Dependencies in JavaScript Applications full paper
W4 Zachary Wadhams, Ann Marie Reinhold and Clemente Izurieta Automating Static Code Analysis Through CI/CD Pipeline Integration full paper
W5 Feiyang Tang and Bjarte M. Østvold Finding Privacy-Relevant Source Code full paper