Toward a Just-in-Time Static Analysis

To facilitate an early dissemination, we are today making available the following technical report. It outlines our vision of how static security code-analysis tools can be made more interactive, by allowing for just-in-time interactions. This is a collaboration with Ben Livshits from MSR.

Toward a Just-in-Time Static Analysis (Lisa Nguyen Quang Do, Karim Ali, Eric Bodden, Benjamin Livshits), Technical report TUD-CS-2015-1167, EC SPRIDE, 2015.

Asking for 10 minutes of your time on Java/crypto research

We are a group of researchers from TU Darmstadt, Germany, who work on creating tools to help developers use cryptography in their Java applications. 

We are looking for developers who use Java cryptography APIs to answer a short 10-minute survey. 

Our goal is to understand what cryptography tasks are usually performed, any difficulties developers face, and what would help Java developers use cryptography more correctly/efficiently.

Your participation is voluntary and completely anonymous. To participate, please fill in the survey at the following link http://tiny.cc/java_crypto_survey
Thanks!

Please feel free to forward this invitation to any Java developers you might know.

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden

Community services for 2016

I am happy to announce that for 2016 I have confirmed membership in the program committees in all of the major software engineering conferences, i.e., ICSE, FSE and ASE. ISSTA disallows invitations for the third time in a row, which is why I will contribute as co-chair of the artifact evaluation. Also I will be a member of the CODASPY PC. For ASPLOS, the reviewing period clashes with the one of ICSE, which is why I decided to only contribute to the ERC. Let there be many good submissions!

Interview with Technology Review

A few weeks ago, the German edition of Technology Review interviewed me on the state of software security. The article is available now.

Consider submitting to ESSoS’16

Please consider submitting your research papers to ESSOS’16 which will take place in April at Royal Holloway London. We have been able to put together an excellent program committee. Submission deadline is October 2nd.

Two new papers to appear at ISC

On our website we have now available two new papers accepted at ISC. The first paper originated out of our collaboration with SAP. It reports on a qualitative empirical study determining Factors Impacting the Effort Required to Fix Security Vulnerabilities. Thanks to our collaborators for the great work! The second work is on Dynamically Provisioning Isolation in Hierarchical Architectures, a novel, lightweight and effective means to counter side channels and covert channels in the cloud. Enjoy!

OCAP Phase 2 report out

The OCAP has published its Phase 2 report on its security analysis of the TrueCrypt code base. It appears like they discovered no major issues. In the meantime we are making good progress on the creation of our own in-depth security analysis of TrueCrypt for the BSI. We hope to be able to make this one public, too, at some point.

First International Workshop on Agile Secure Software Development

Only two weeks left to submit to our workshop on Agile Secure Software Development. Better get started on your paper now!

heute.de reports on Harvester

The major German news station heute.de is reporting on our tool Harvester and on time bombs in app in general. Read the German article here.

In the meantime we are doing our best to get both CodeInspect and Harvester ready for roll-out. Stay tuned for more.

TamiFlex now on Github

TamiFlexSince Google Code is shutting down, TamiFlex has found a new home on Github. We have tried our best to move the entire webpage and infrastructure there. Please let us know in case you find anything missing.