Research

Static code analysis can detect many known vulnerabilities when correctly configured to the specific system. However, the acceptance of static analysis tools from developers is still very low. One of the main issues is that the devlopers are not familiar with the domain and do not know how to set the parameters to get the expected results. Default configurations often result in high number of false positives. If we want to reach SecDevOps process, we need to make sure that the developers are aware of the security issues already in the design phase. In my reseach, I develop methods and tools that will close the gap between the development and static code analysis. One of the main problem is how to detect security-relevant entities in the code which are needed for the configuration of static analyses. The goal is to provide the developer an IDE-integrated generator of configurations for static analyses that can be used at design time.

Theses supervision

At Paderborn University, I offer Bachelor, Master or Seminar theses. Here is a list of finished, on going or open topics.

  • [ongoing] Seminar Secure Systems Engineering (WS18/19) – Survey on adaptive static analysis, student: Pavan Gurkhi Bhimesh
  • [finished] Bachelor thesis – Authentication and authorization checker for Java web systems, student: Tobias Petrasch
  • [finished] Bachelor thesis – Evaluation of machine learning algorithms for automatic detection of security-relevant methods, student: Parviz Nasiry
  • [finished] Seminar Secure Systems Engineering (WS17/18) – Inferring specifications for taint-style vulnerabilities, student: Sebastian Mansfield
  • [finished] Seminar Secure Systems Engineering (WS16/17) – Security vulnerabilities in Android’s inter-app communication, student: Michael Kuenneke

If you are a student interested in similar topics, feel free to contact me and set up a meeting. Speculative requests are welcome.

Teaching assistance

Service

Publications