I am currently working on a controlled experiment
to understand what is the best way to perform threat analysis (macro vs micro).
In the past
, I've worked on the following topics:
- Which vulnerability reports are better to fix security bugs: static analysis or pen testing? Published at ESEM 2016
- Which thechniques for secure design are available? This systematic literature review has been published in the Journal of Software and Systems Modeling.
- Do security patterns produce more secure software? Published at ICSE'15 [more info]
- Comparing text mining to software metrics as predictors of vulnerabilities. Published at ISSRE'14 [more info], at IEEE Transactions on Reliability, and at ESEM 2016
- Predicting Vulnerable Software Components via Text Mining (for Android apps). Published in IEEE Transactions on Software Engineering in 2014 [more info]
- Empirical Evaluation of a Privacy-Focused Threat Modeling Methodology (100 students + 7 professionals). Published in Journal of Systems and Software in 2014 [more info]
- A descriptive study of Microsoft's threat modeling technique (57 subjects, 5th year master students). Published in Requirements Engineering in 2013 [more info]
- Static Analysis vs. penetration testing (9 subjects, professionals). Published at ISSRE'13 [more info]
- Change Patterns for Evolving Trust (12 subjects, 5th year master students). Published in SoSyM journal in 2012 [more info]
- Annotations in Security Patterns (90 subjects, 4th yeas master students). Published at ICSE'12 [more info]
- Aspect-Oriented Modeling with Domain Specific Models (16 subjects, PhD students). Published at ESEM'11 [more info]
- Aspect-Oriented Modeling with ThemeUML (10 subjects, PhD students). Published at AOSD'10 [more info]