I gave, recently, a lecture at the Ninth International Crisis Management Workshop (CriM’15) and Oulu Winter School. The program included many interesting talks. I talked in my lecture about our experience on using interviews, questionnaires, and data analytics to address research questions in secure software development. The lecture video is publicly available here.

Proposals for both tutorials and workshops to be co-located with ESSOS’16 are welcome and can be sent to essos [at] cs [dot] kuleuven [dot] be by October 23, 2015 (1-2 pages).

While the paper submission deadline (October 2) for ESSOS 2016 will not be extended, due to several requests, paper submissions for which no abstract has been received yet are still allowed. Authors are encouraged to submit an abstract as soon as possible, but a paper can be submitted until the paper submission deadline even if no abstract was submitted first.

Yesterday I have informed the people involved that effective January 1st I will be starting a new job as a full professor for “Softwaretechnik” at the University of Paderborn. In this position I plan to continue the research my group and I have been pursuing in the area of software security, but also want to broaden my research into the direction of the secure design of cyber-physical systems. In my new function I will be able to do so nicely, as at the same time I will be a member of the leadership team of the Fraunhofer-Group for Design-Methodologies of Mechatronic systems. In addition, I will be contributing to the collaborative research center On-the-fly Computing and the Software Innovation Campus Paderborn. I am very much looking forward to my new responsibilities and colleagues.

At the same time, I plan to continue the close collaborations with my dear colleagues at Darmstadt. I wish to thank everyone in Darmstadt who has contributed to making my past six years there as happy and successful as they were!

All join me in congratulating my Ph.D. student Kevin Falzon for receiving the Best Student Paper Award at ISC this year! His paper Dynamically Provisioning Isolation in Hierarchical Architectures describes how live migration may be used to dynamically isolate process, for instance to hinder them from forming side channels or covert channels.

We are happy to announce that we are organizing a Static Analysis Seminar (SAS) during the Winter Semester. Interested to know more about various topics related to static analysis such as: pointer analysis, call graphs, theory behind data-flow analysis, usability of static analysis tools, and much more? Then do not hesitate to register yourself in the seminar (TUCaN ID: 20-00-0942).

More information about the seminar and the tentative schedule are available here

ESSOS is accepting submissions of abstracts until the 25th and of research papers until October 2nd. We are happy to announce that both David Basin and Karsten Nohl will be presenting as invited speakers! Also, for the first time in the security community, ESSOS this year will offer a voluntary artifact evaluation! Read more in the full CFP below.

Continue reading →

The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Achim Bruker opened the sessions with an overview of the experience of SAP in developing secure software. This was followed by a talk given by Jesus Choliz about the application of Microsoft Secure Software Development process to develop secure systems for election management. Lotfi ben Othmane continued the discussion by showing how to use the B method to detect inconsistencies of access policies in the context of incremental software development. Next, Prof. Juha Röning gave an overview about his experience in developing a security fuzzing software and their use in agile processes. The spin-off that they created out of the project was recently sold to Synopsis.

In the afternoon session, Hela Oueslati discussed the challenges of developing secure software that she found in the literature and the evaluation of the validity of these challenges with respect to the agile values and principles and security practices. She asked the participants to help her in her future empirical studies about the topic. The presentation was followed by the talk of Clemens Teichmann, who shared the experience of his team in evaluating threat modeling methods for fitness to agile development processes used by their clients.

Afterwards, the attendees discussed the common point raised in the talks: the fast feedback and adaptation that agile processes offer helps development teams reducing the cost of developing secure software. Early identification of vulnerabilities allows for fixing them fast (It is easier to fix new code). In addition, development teams can develop, early in the projects, secure programming APIs or techniques to avoid the vulnerabilities they encounter in future development.

The full ARES program, including the workshop program is available here

I was just able to confirm Karsten Nohl as an invited speaker for ESSOS 2016. Thanks a lot for accepting! We hope to see you all there. The submission deadline is just about a month away.