I am currently working on a controlled experiment to understand what is the best way to perform threat analysis (macro vs micro).

In the past, I've worked on the following topics:
  • Which vulnerability reports are better to fix security bugs: static analysis or pen testing? Published at ESEM 2016
  • Which thechniques for secure design are available? This systematic literature review has been published in  the Journal of Software and Systems Modeling.
  • Do security patterns produce more secure software? Published at ICSE'15 [more info]
  • Comparing text mining to software metrics as predictors of vulnerabilities. Published at ISSRE'14 [more info], at IEEE Transactions on Reliability, and at ESEM 2016
  • Predicting Vulnerable Software Components via Text Mining (for Android apps). Published in IEEE Transactions on Software Engineering in 2014 [more info]
  • Empirical Evaluation of a Privacy-Focused Threat Modeling Methodology (100 students + 7 professionals). Published in Journal of Systems and Software in 2014 [more info]
  • A descriptive study of Microsoft's threat modeling technique (57 subjects, 5th year master students). Published in Requirements Engineering in 2013 [more info]
  • Static Analysis vs. penetration testing (9 subjects, professionals). Published at ISSRE'13 [more info]
  • Change Patterns for Evolving Trust (12 subjects, 5th year master students). Published in SoSyM journal in 2012 [more info]
  • Annotations in Security Patterns (90 subjects, 4th yeas master students). Published at ICSE'12 [more info]
  • Aspect-Oriented Modeling with Domain Specific Models (16 subjects, PhD students). Published at ESEM'11 [more info]
  • Aspect-Oriented Modeling with ThemeUML (10 subjects, PhD students). Published at AOSD'10 [more info]