Foundational and Experimental Security

The group focuses on the foundational and experimental nature of security to assess digital risks.

The underpinnings of the research we conduct are scientific rigour and sound empirical evaluation of security methodologies and solutions from risk assessment and threat analysis to mining software vulnerabilities and analysing Java and cloud microservices. We promote a foundational approach for conducting research in the intersection between Security, Software Engineering and Risk Analysis. The empirical approach allows us to solve security problems and defends against adversaries that are real instead of our own making.

We work from the mathematical foundations and models of risk analysis to their empirical validation with either large scale retrospective studies on software repositories or controlled experiments with students and professionals. The broad goal of the group is to provide industry and society with evidence-based advice about security risks.

To see who is who, check below.

Staff members, PhD students

Staff members
Fabio Massacci - Check on Scholar
Katja Tuma - Check on Scholar
Fernanda Madeiral Delfim - Check on Scholar
Mengyuan (Maggie) Zhang - Check on Scholar
Johannes Härtel - Check on Scholar

PhD students
Francesco Minna - AssureMOSS - on cloud security
Aurora Papotti - Dutch Sectorplan - on the security of systems with AI components
Winnie Mbaka - Dutch Sectorplan on diversity in security risk analysis
Chao Yin - China Scholarship Council - on confidential computing jointly with CWI - Marten Van Dijk
Emanuele Mezzi - NWO, TNO - on Uncertainty management in AI applied to Threat Intelligence
Sarah van Gerwen - NWO, Thales - on Uncertainty management in AI applied to Threat Intelligence
Ritten Roothaert - NWO - on Uncertainty management in AI applied to Threat Intelligence (jointly with the KR group, Stefan Schlobach)
Siqi Zhang - NWO - on security patching
THIS COULD BE YOU (contact us!)
Magazine papers

Technical Leverage: dependencies mixed blessing at IEEE S&P Magazine - LINK.
Distributed Financial Exchanges: Security Challenges and Design Principles at IEEE S&P Magazine - LINK.
Selected papers
(find more on the individual web pages)
Software Vulnerabilities
- Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks (ACM/IEEE ICSE’21) - LINK.
- Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies (IEEE TSE’20) - LINK.
Security by design
- Secure Data-Flow Compliance Checks between Models and Code Based on Automated Mappings (ACM/IEEE MODELS’19) - LINK.
- Automating the early detection of security design flaws (ACM/IEEE MODELS’20) - LINK.
Case studies
- A Qualitative Study of Dependency Management and Its Security Implications (ACM CCS-2020) - LINK.
- Finding Security Threats That Matter: Two Industrial Case Studies (JSS-2021 Preprint) - LINK.
Risk analysis
- Security Events and Vulnerability Data for Cyber Security Risk Estimation. (Risk AnalysisJournal 2018) - LINK.
- The Work-Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures. (Risk Analysis 2021) -LINK.
Software bugs
- Bears: An Extensible Java Bug Benchmark for Automatic Program Repair Studies (SANER 2019) - LINK.
- Dissection of a bug dataset: Anatomy of 395 patches from Defects4J (SANER 2018) - LINK.
Linter violation repair
- Styler: learning formatting conventions to repair Checkstyle violations (EMSE 2022) - LINK.
- Sorald: Automatic Patch Suggestions for SonarQube Static Analysis Violations (TDSC 2022) - LINK.

Foundational and Experimental Security

Foundational and Experimental Security: Staff, Papers, Analyses

Staff members, PhD students

Magazine papers

Selected papers

Quick links

Study

Featured

About VU