Education Research Current About VU Amsterdam NL
Login as
Prospective student Student Employee
Bachelor Master VU for Professionals
Exchange programme VU Amsterdam Summer School Honours programme VU-NT2 Semester in Amsterdam
PhD at VU Amsterdam Research highlights Prizes and distinctions
Research institutes Our scientists Research Impact Support Portal Creating impact
News Events calendar Woman at the top
Israël and Palestinian regions Culture on campus
Practical matters Mission and core values Entrepreneurship on VU Campus
Organisation Partnerships Alumni University Library Working at VU Amsterdam
Sorry! De informatie die je zoekt, is enkel beschikbaar in het Engels.
This programme is saved in My Study Choice.
Something went wrong with processing the request.
Something went wrong with processing the request.

Foundational and Experimental Security

The group focuses on the foundational and experimental nature of security to assess digital risks.

The underpinnings of the research we conduct are scientific rigour and sound empirical evaluation of security methodologies and solutions from risk assessment and threat analysis to mining software vulnerabilities and analysing Java and cloud microservices. We promote a foundational approach for conducting research in the intersection between Security, Software Engineering and Risk Analysis. The empirical approach allows us to solve security problems and defends against adversaries that are real instead of our own making.

We work from the mathematical foundations and models of risk analysis to their empirical validation with either large scale retrospective studies on software repositories or controlled experiments with students and professionals. The broad goal of the group is to provide industry and society with evidence-based advice about security risks.

To see who is who, check below.

Foundational and Experimental Security: Staff, Papers, Analyses

  • Staff members, PhD students

    Staff members  

    Fabio Massacci - Check on Scholar

    Katja Tuma - Check on Scholar

    Mengyuan (Maggie) Zhang - Check on Scholar

    Johannes Härtel - Check on Scholar

    PhD students

    Francesco Minna  - AssureMOSS - on cloud security

    Aurora Papotti - Dutch Sectorplan - on the security of systems with AI components

    Winnie Mbaka - Dutch Sectorplan on diversity in security risk analysis

    Chao Yin - China Scholarship Council - on confidential computing jointly with CWI - Marten Van Dijk

    Emanuele Mezzi - NWO, TNO - on Uncertainty management in AI applied to Threat Intelligence

    Sarah van Gerwen - NWO, Thales - on Uncertainty management in AI applied to Threat Intelligence

    Ritten Roothaert - NWO - on Uncertainty management in AI applied to Threat Intelligence (jointly with the KR group, Stefan Schlobach)

    Siqi Zhang - NWO - on security patching

    THIS COULD BE YOU (contact us!)

  • Magazine papers

    Technical Leverage: dependencies mixed blessing at IEEE S&P Magazine - LINK.
    Distributed Financial Exchanges: Security Challenges and Design Principles at IEEE S&P Magazine - LINK

  • Selected papers

    (find more on the individual web pages)
    Software Vulnerabilities

    • Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks (ACM/IEEE ICSE’21) - LINK.
    • Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies (IEEE TSE’20) - LINK.

    Security by design

    • Secure Data-Flow Compliance Checks between Models and Code Based on Automated Mappings (ACM/IEEE MODELS’19) - LINK.
    • Automating the early detection of security design flaws (ACM/IEEE MODELS’20) - LINK.

    Case studies

    • A Qualitative Study of Dependency Management and Its Security Implications (ACM CCS-2020) - LINK.
    •  Finding Security Threats That Matter: Two Industrial Case Studies (JSS-2021 Preprint) - LINK.

    Risk analysis

    • Security Events and Vulnerability Data for Cyber Security Risk Estimation. (Risk AnalysisJournal 2018) - LINK.
    • The Work-Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures. (Risk Analysis 2021) -LINK.

    Software bugs

    • Bears: An Extensible Java Bug Benchmark for Automatic Program Repair Studies (SANER 2019) - LINK.
    • Dissection of a bug dataset: Anatomy of 395 patches from Defects4J (SANER 2018) - LINK.

    Linter violation repair

    • Styler: learning formatting conventions to repair Checkstyle violations (EMSE 2022) - LINK
    • Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations (TDSC 2022) - LINK

Quick links

Homepage Culture on campus VU Sports Centre Dashboard

Study

Academic calendar Study guide Timetable Canvas

Featured

VUfonds VU Magazine Ad Valvas Digital accessibility

About VU

Contact us Working at VU Amsterdam Faculties Divisions Privacy Disclaimer Veiligheid Webcolofon Cookies Webarchief

Copyright © 2025 - Vrije Universiteit Amsterdam