{"id":"https://openalex.org/W4416214924","doi":"https://doi.org/10.1109/tse.2025.3632765","title":"How Can ChatGPT Support Human Security Testers to Help Mitigate Supply Chain Attacks?","display_name":"How Can ChatGPT Support Human Security Testers to Help Mitigate Supply Chain Attacks?","publication_year":2025,"publication_date":"2025-11-14","ids":{"openalex":"https://openalex.org/W4416214924","doi":"https://doi.org/10.1109/tse.2025.3632765"},"language":null,"primary_location":{"id":"doi:10.1109/tse.2025.3632765","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2025.3632765","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Ying Zhang","orcid":"https://orcid.org/0000-0002-2770-9189"},"institutions":[{"id":"https://openalex.org/I47251452","display_name":"Wake Forest University","ror":"https://ror.org/0207ad724","country_code":"US","type":"education","lineage":["https://openalex.org/I47251452"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Ying Zhang","raw_affiliation_strings":["Department of Computer Science, Wake Forest University, Winston-Salem, NC, USA","Department of Computer Science, Blacksburg, VA"],"raw_orcid":"https://orcid.org/0000-0002-2770-9189","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Wake Forest University, Winston-Salem, NC, USA","institution_ids":["https://openalex.org/I47251452"]},{"raw_affiliation_string":"Department of Computer Science, Blacksburg, VA","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101980974","display_name":"Wenjia Song","orcid":"https://orcid.org/0009-0002-9597-3587"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Wenjia Song","raw_affiliation_strings":["Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","Department of Computer Science, Blacksburg, VA"],"raw_orcid":"https://orcid.org/0009-0002-9597-3587","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","institution_ids":["https://openalex.org/I859038795"]},{"raw_affiliation_string":"Department of Computer Science, Blacksburg, VA","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5027356543","display_name":"Zhengjie Ji","orcid":"https://orcid.org/0009-0008-0900-6456"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zhengjie Ji","raw_affiliation_strings":["Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","Department of Computer Science, Blacksburg, VA"],"raw_orcid":"https://orcid.org/0009-0008-0900-6456","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","institution_ids":["https://openalex.org/I859038795"]},{"raw_affiliation_string":"Department of Computer Science, Blacksburg, VA","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5034366344","display_name":"Danfeng Yao","orcid":"https://orcid.org/0000-0001-8969-2792"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Danfeng Yao","raw_affiliation_strings":["Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","Department of Computer Science, Blacksburg, VA"],"raw_orcid":"https://orcid.org/0000-0001-8969-2792","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","institution_ids":["https://openalex.org/I859038795"]},{"raw_affiliation_string":"Department of Computer Science, Blacksburg, VA","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5070152860","display_name":"Na Meng","orcid":"https://orcid.org/0000-0002-0230-5524"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Na Meng","raw_affiliation_strings":["Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","Department of Computer Science, Blacksburg, VA"],"raw_orcid":"https://orcid.org/0000-0002-0230-5524","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Virginia Tech, Blacksburg, VA, USA","institution_ids":["https://openalex.org/I859038795"]},{"raw_affiliation_string":"Department of Computer Science, Blacksburg, VA","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I47251452"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.46432212,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"52","issue":"2","first_page":"509","last_page":"526"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.3677999973297119,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.3677999973297119,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.3043999969959259,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.11069999635219574,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vulnerability-management","display_name":"Vulnerability management","score":0.6028000116348267},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.597000002861023},{"id":"https://openalex.org/keywords/consistency","display_name":"Consistency (knowledge bases)","score":0.5302000045776367},{"id":"https://openalex.org/keywords/programmer","display_name":"Programmer","score":0.5249000191688538},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.46720001101493835},{"id":"https://openalex.org/keywords/hacker","display_name":"Hacker","score":0.46219998598098755},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.4514999985694885},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.39730000495910645},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.3885999917984009}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8395000100135803},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.6028000116348267},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.597000002861023},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5497999787330627},{"id":"https://openalex.org/C2776436953","wikidata":"https://www.wikidata.org/wiki/Q5163215","display_name":"Consistency (knowledge bases)","level":2,"score":0.5302000045776367},{"id":"https://openalex.org/C2778514511","wikidata":"https://www.wikidata.org/wiki/Q1374194","display_name":"Programmer","level":2,"score":0.5249000191688538},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.46720001101493835},{"id":"https://openalex.org/C86844869","wikidata":"https://www.wikidata.org/wiki/Q2798820","display_name":"Hacker","level":2,"score":0.46219998598098755},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.4514999985694885},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.4309999942779541},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.39730000495910645},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.3885999917984009},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3792000114917755},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.3434999883174896},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.33799999952316284},{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.32919999957084656},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.3174000084400177},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.2842999994754791},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.2833999991416931},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.2827000021934509},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.28130000829696655},{"id":"https://openalex.org/C182306322","wikidata":"https://www.wikidata.org/wiki/Q1779371","display_name":"Order (exchange)","level":2,"score":0.27300000190734863},{"id":"https://openalex.org/C101317890","wikidata":"https://www.wikidata.org/wiki/Q940053","display_name":"Software maintenance","level":4,"score":0.26579999923706055},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.26499998569488525},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2637999951839447},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.25839999318122864},{"id":"https://openalex.org/C114869243","wikidata":"https://www.wikidata.org/wiki/Q133735","display_name":"Security through obscurity","level":5,"score":0.25459998846054077},{"id":"https://openalex.org/C128942645","wikidata":"https://www.wikidata.org/wiki/Q1568346","display_name":"Test case","level":3,"score":0.25189998745918274},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2517000138759613}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tse.2025.3632765","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2025.3632765","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":43,"referenced_works":["https://openalex.org/W1971650562","https://openalex.org/W1993704367","https://openalex.org/W2045974024","https://openalex.org/W2051990174","https://openalex.org/W2060333670","https://openalex.org/W2113864883","https://openalex.org/W2153773513","https://openalex.org/W2165597437","https://openalex.org/W2745087117","https://openalex.org/W2759023773","https://openalex.org/W2767943400","https://openalex.org/W2850616187","https://openalex.org/W2924629359","https://openalex.org/W2953558274","https://openalex.org/W2963909831","https://openalex.org/W2963926786","https://openalex.org/W2985320478","https://openalex.org/W3040158574","https://openalex.org/W3094130708","https://openalex.org/W3109094705","https://openalex.org/W3112452874","https://openalex.org/W3156480510","https://openalex.org/W3160978791","https://openalex.org/W3169915924","https://openalex.org/W3175545355","https://openalex.org/W4211233231","https://openalex.org/W4256267596","https://openalex.org/W4280563703","https://openalex.org/W4285490369","https://openalex.org/W4288057765","https://openalex.org/W4308562473","https://openalex.org/W4308641648","https://openalex.org/W4312790719","https://openalex.org/W4313062709","https://openalex.org/W4378676756","https://openalex.org/W4384304865","https://openalex.org/W4384345738","https://openalex.org/W4385302156","https://openalex.org/W4386231786","https://openalex.org/W4391724785","https://openalex.org/W4393152795","https://openalex.org/W4402860127","https://openalex.org/W4405274408"],"related_works":[],"abstract_inverted_index":{"Developers":[0],"often":[1],"build":[2],"software":[3,15,40,149],"on":[4,31,306],"top":[5,32],"of":[6,33,47,68,73,126,159,224,233,280],"third-party":[7],"libraries":[8,18],"(Libs)":[9],"to":[10,25,59,81,104,110,115,139,181,191,207],"improve":[11],"programmer":[12],"productivity":[13],"and":[14,55,77,119,131,133,201,270,289,297],"quality.":[16],"The":[17],"may":[19],"contain":[20],"vulnerabilities":[21,108,267],"exploitable":[22],"by":[23,63,96,291],"hackers":[24],"attack":[26],"the":[27,44,65,71,94,157,177,194,231,244,257,264],"applications":[28],"(Apps)":[29],"built":[30],"them.":[34],"Such":[35],"attacks":[36,128,180],"are":[37],"known":[38],"as":[39],"supply":[41,178],"chain":[42,179],"attacks,":[43,62],"documented":[45],"number":[46],"which":[48,168],"has":[49],"increased":[50],"742%":[51],"in":[52,113,151,193,268,309],"2022.":[53],"Researchers":[54],"developers":[56,90,147],"created":[57],"tools":[58],"mitigate":[60],"such":[61],"scanning":[64],"library":[66,75,107,174],"dependencies":[67,175],"Apps,":[69,269],"identifying":[70],"usage":[72,158],"vulnerable":[74,82,173],"versions,":[76],"suggesting":[78],"secure":[79],"alternatives":[80],"dependencies.":[83],"However,":[84],"recent":[85],"studies":[86],"show":[87],"that":[88,141,216,254],"many":[89],"do":[91],"not":[92],"trust":[93],"reports":[95,262],"these":[97],"tools;":[98],"they":[99],"need":[100],"code":[101],"or":[102,222],"evidence":[103,221],"demonstrate":[105,171,256],"how":[106,172],"lead":[109],"security":[111,166,211,247,285,310],"exploits,":[112],"order":[114],"assess":[116,230],"vulnerability":[117,225],"severity":[118],"modification":[120],"necessity.":[121],"Unfortunately,":[122],"manually":[123,199],"crafting":[124],"demos":[125],"application-specific":[127],"is":[129,135],"challenging":[130],"timeconsuming,":[132],"there":[134],"insufficient":[136],"tool":[137],"support":[138],"automate":[140],"procedure.":[142],"<p":[143],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[144],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">To":[145],"help":[146],"enhance":[148],"security,":[150],"this":[152],"study,":[153],"we":[154,187,198,236],"systematically":[155],"explored":[156],"a":[160,293],"large":[161],"language":[162],"model":[163],"(LLM)\u2013ChatGPT-4.0\u2013to":[164],"generate":[165],"tests,":[167],"unit":[169],"tests":[170,218,248,296],"facilitate":[176],"given":[182],"<i>Apps</i>.":[183],"In":[184],"our":[185],"exploration,":[186],"defined":[188],"prompt":[189],"templates":[190,206],"take":[192],"various":[195],"vulnerability-relevant":[196],"information":[197],"collected,":[200],"generated":[202,246],"prompts":[203],"from":[204],"those":[205],"query":[208],"ChatGPT":[209,281],"for":[210,226,249,263],"test":[212,234,286,311],"generation.":[213,312],"We":[214,259],"found":[215],"ChatGPT-generated":[217],"demonstrated":[219],"24":[220],"proof":[223],"49":[227],"Apps.":[228],"To":[229],"consistency":[232],"generation,":[235],"also":[237],"evaluated":[238],"another":[239],"five":[240],"state-of-the-art":[241,284],"LLMs.":[242],"All":[243],"models":[245],"at":[250],"least":[251],"17":[252],"cases":[253],"successfully":[255],"vulnerabilities.":[258],"filed":[260],"six":[261],"newly":[265],"revealed":[266],"got":[271],"four":[272],"Common":[273],"Vulnerability":[274],"Entries":[275],"(CVEs)":[276],"assigned.":[277],"Our":[278,301],"use":[279],"outperformed":[282],"two":[283],"generators":[287],"(TRANSFER":[288],"SIEGE),":[290],"generating":[292],"lot":[294],"more":[295,299],"achieving":[298],"attacks.":[300],"research":[302,308],"will":[303],"shed":[304],"light":[305],"new":[307]},"counts_by_year":[],"updated_date":"2026-02-14T06:23:00.392402","created_date":"2025-11-14T00:00:00"}