Smart cyber-physical systems: Too big to fail, too smart to be secure?

Attending ICSE? Then consider coming two days earlier to attend SEsCPS, the 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems, where I will be giving a keynote on the current state and challenges of CPS security. Abstract:

Many industrialized nations are currently pushing for smart cyber-physical systems as a major hope for new revenue models. But such systems become smart through connectivity, which opens them up to a whole range of new attack vectors. One may ask: why are current software-heavy cyber-physical systems as insecure as they are? My answer would be: why shouldn’t they be? Many such systems are designed and engineered by companies who never developed software engineering as a core competency. And how should such companies succeed where even the most prominent software vendors struggle? In this talk I will discuss my view of the challenges in secure software engineering and how the inclusion of hardware brings a whole new set of challenges to the game. I will outline my vision of secure systems engineering and raise a set of challenges that need to be addressed to make this vision become reality.

Joint Android Hacking Event in Darmstadt & Paderborn

On the evening of June 1st we will be jointly organizing a CTF-style Android Hacking Event. At Fraunhofer SIT & TU Darmstadt the organization is lead by team[SIK], at Paderborn University & Fraunhofer IEM by the Software Engineering Group. As a “local hacker” you will be able to physically attend either event, either at Fraunhofer SIT (Rheinstr.) or at Zukunftsmeile 1 in Paderborn. We will try to have a video feed between the two events.

You can also participate as a remote hacker. Remote participants will be listed separately, as we expect them to be more advanced than the student hackers that we actually target with this event. Prices will only be given out to local student hackers.

To qualify, you must register (and solve a couple of challenges) by May 11th here.

ISSTA Artifact Evaluation

We have put online information about ISSTA’s artifact evaluation. Note that this year you may provide artifacts ahead of time to positively influence the decision of paper acceptance!

Thanks for the positive feedback

20160310_131142Thanks for the positive feedback to my keynote at the Entwicklertag in Frankfurt! Let’s hope that the insights I shared about our BaaS-Analysis will help make the world a bit more secure…
And thanks a lot to Siegfried, Steven, Robert and Max for the great work! Keep it going!


ESSoS keynotes by Karsten Nohl and David Basin

Karsten Nohl

David Basin

We have just put online information about our two keynote presentations at ESSoS by Karsten Nohl and David Basin. Karsten Nohl will ask the question How much security is too much?, citing some lessons learned from introducing security into a new, large telecommunications startup, while David Basin will elaborate on the quirks of Security Testing and what it actually all means. I am looking forward to two exciting presentations!

Eric Bodden named Associate Editor of IEEE TSE

As of today, I have joined the editorial board of the IEEE Transactions on Software Engineering (TSE) as an associate editor. I am looking forward to receiving your very best submissions!

Eric Bodden appointed as ISSTA 2018 Program Chair

I am glad to report that I have just been appointed Program Chair of the 2018 International Symposium of Software Testing and Analysis (ISSTA). ISSTA is the leading research symposium on software testing and analysis, bringing together academics, industrial researchers, and practitioners to exchange new ideas, problems, and experience on how to analyze and test software systems. I wish to thank the organizing chair Frank Tip as well as the entire steering committee for this great honor.

ISSTA 2018 will be co-located with the European Conference on Object-Oriented Programming (ECOOP), in beautiful Amsterdam, Netherlands. Let’s make it a great event!

CYSEC researchers score five ICSE publications

ICSE is the premier academic conference for Software Engineering. In total, researchers of CYSEC managed to publish at least five ICSE publications this year, two with contributions from SSE:

“Looking for crypto backdoors is like searching camouflaged needles in a haystack” – Deutschlandfunk reports about our TrueCrypt study (German only)

Recently, our team member Andreas Poller gave an interview at Deutschlandfunk. The radio report shone a light on the reasons why the German Federal Office for Information Security (BSI) asked us to investigate TrueCrypt, how we executed the study, and what common users shall consider when using harddisk encryption.

The interview is available in German here.

Looking for Research Assistants (doctoral or post-doc) at University of Paderborn

As I announced a few weeks ago, in 2016 I will be moving to the University of Paderborn to start a tenured professorship there. As part of this move, I am looking for a number of new Ph.D. students and also PostDocs. The positions come with full funding for a number of years. You can find more information about these positions here. As stated, please direct your applications to

If you have a deep interest in software engineering, especially software security, the I am very much looking forward to your application!