Research Projects

Security Requirements

Security Requirements

The goal of this research is to support analysts in security requirements engineering by developing and researching a frameworks, tools, and processes for producing and improving security requirements.

Read more »
Surfacing Security Metrics from Throughout a Package's Dependency Tree (Survey)

Surfacing Security Metrics from Throughout a Package's Dependency Tree (Survey)

Aid practitioners in making informed decisions about which third-party packages to use or replace

The goal of this research is to aid developers and software architects in making good component choices through an analysis of the relevance and utility of security metrics from the entire dependency tree associated with a package.

Read more »
Risk-based Secret Detection

Risk-based Secret Detection

Aid practitioners to identify checked-in credentials and mitigate secrets leakage

The goal of this project is to aid software practitioners in reducing the security risk of checked-in secrets through the development of empirically-based tools for identifying and prioritizing the eradication of already checked-in secrets and techniques for securely managing secrets to prevent injection of secrets into a codebase.

Read more »
Software Vulnerability Detection

Software Vulnerability Detection

Diagnosing and Triaging Software Security Problems

The goal of this research is to aid practitioners in determining which Vulnerability Detection Tools and Techniques to use, and how to use them. (Photo of the original Computer Bug Courtesy of the Naval Surface Warfare Center, Public domain, via Wikimedia Commons - we have been working on research in bugs and vulnerabilities for a long time, but not THAT long)

Read more »
Supply Chain Security Metrics

Supply Chain Security Metrics

Aid practitioners to identify secure software products in software ecosystem

The goal of this research is to aid practitioners in producing more secure software products through the development of actionable security metrics, the identification of weak link signals, and the leveraging of software security measures in dependency graphs to select good components.

Read more »
P4-Misuse

P4-Misuse

Reasoning about Accidental and Malicious Misuse via Formal Models of User Expectations and Software Systems

To aid security analysts in identifying and protecting against accidental and malicious actions by users or software through automated reasoning on unified representations of user expectations and software implementation to identify misuses sensitive to usage and machine context.

Read more »