Sorry! De informatie die je zoekt, is enkel beschikbaar in het Engels.
This programme is saved in My Study Choice.
Something went wrong with processing the request.
Something went wrong with processing the request.

Foundational and Experimental Security

The group focuses on the foundational and experimental nature of security to assess digital risks.

The underpinnings of the research we conduct are scientific rigour and sound empirical evaluation of security methodologies and solutions from risk assessment and threat analysis to mining software vulnerabilities and analysing Java and cloud microservices. We promote a foundational approach for conducting research in the intersection between Security, Software Engineering and Risk Analysis. The empirical approach allows us to solve security problems and defends against adversaries that are real instead of our own making.

We work from the mathematical foundations and models of risk analysis to their empirical validation with either large scale retrospective studies on software repositories or controlled experiments with students and professionals. The broad goal of the group is to provide industry and society with evidence-based advice about security risks.

To see who is who, check below.

Foundational and Experimental Security: Staff, Papers, Analyses

  • Staff members, PhD students

    Staff members  

    Fabio Massacci - Check on Scholar

    Katja Tuma - Check on Scholar

    Fernanda Madeiral Delfim - Check on Scholar

    Mengyuan (Maggie) Zhang - Check on Scholar

    PhD students

    Francesco Minna  - AssureMOSS - on cloud security

    Aurora Papotti - Dutch Sectorplan - on the security of systems with AI components

    Winnie Mbaka - Dutch Sectorplan on diversity in security risk analysis

    Samina Kanwal - Dutch Sectorplan on safety and security jointly with the TCS group - Wan Fokking

    Chao Yin - China Scholarship Council - on confidential computing jointly with CWI - Marten Van Dijk

    Emanuele Mezzi - TNO, Thales - on Uncertainty management in AI applied to Threat Intelligence

    THIS COULD BE YOU (contact us!)

  • Magazine papers

    Technical Leverage: dependencies mixed blessing at IEEE S&P Magazine - LINK.
    Distributed Financial Exchanges: Security Challenges and Design Principles at IEEE S&P Magazine - LINK

  • Selected papers

    (find more on the individual web pages)
    Software Vulnerabilities

    • Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks (ACM/IEEE ICSE’21) - LINK.
    • Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies (IEEE TSE’20) - LINK.

    Security by design

    • Secure Data-Flow Compliance Checks between Models and Code Based on Automated Mappings (ACM/IEEE MODELS’19) - LINK.
    • Automating the early detection of security design flaws (ACM/IEEE MODELS’20) - LINK.

    Case studies

    • A Qualitative Study of Dependency Management and Its Security Implications (ACM CCS-2020) - LINK.
    •  Finding Security Threats That Matter: Two Industrial Case Studies (JSS-2021 Preprint) - LINK.

    Risk analysis

    • Security Events and Vulnerability Data for Cyber Security Risk Estimation. (Risk AnalysisJournal 2018) - LINK.
    • The Work-Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures. (Risk Analysis 2021) -LINK.

    Software bugs

    • Bears: An Extensible Java Bug Benchmark for Automatic Program Repair Studies (SANER 2019) - LINK.
    • Dissection of a bug dataset: Anatomy of 395 patches from Defects4J (SANER 2018) - LINK.

    Linter violation repair

    • Styler: learning formatting conventions to repair Checkstyle violations (EMSE 2022) - LINK
    • Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations (TDSC 2022) - LINK