What are Weak Links in the npm Supply Chain? 

 ICSE-SEIP '23: International Conference on Software Engineering: Software Engineering in Practice

Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila, Laurie Williams

Do Software Security Practices Yield Fewer Vulnerabilities?

 ICSE-SEIP '23: International Conference on Software Engineering: Software Engineering in Practice

Nusrat Zahan, Shohanuzzaman Shohan, Dan Harris, Laurie Williams

Do I really need all this work to find vulnerabilities? An empirical case study comparing vulnerability detection techniques on a Java application. 

EMSE'22: Empirical Software Engineering journal 

Sarah Elder, Nusrat Zahan, Rui Shu, Monica Metro, Valeri Kozarev, Tim Menzies, Laurie Williams

Structuring a comprehensive software security course around the OWASP application security verification standard.

ICSE-SEET'21: International Conference on Software Engineering: Software Engineering Education and Training

Sarah Elder, Nusrat Zahan, Rui Shu, Valeri Kozarev, Tim Menzies, Laurie Williams

OpenSSF Scorecard: On the Path Toward Ecosystem-wide Automated Security Metrics

Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, Dan Harris, Laurie Williams

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) Tools in a Large Java-based System.

Aishwarya Seth, Saikath Bhattacharya, Sarah Elder, Nusrat Zahan, Laurie Williams