A critical piece of securing our nation's digital infrastructure is to reduce vulnerabilities in software. Vulnerabilities, while prevalent in the media and national conversation, are rare occurrences in software, existing in only approximately 1% of source code files. While many vulnerabilities look like simple coding mistakes, preventing these vulnerabilities is extraordinarily difficult as they are small, difficult to test for, and require an attacker mindset to think of. Software engineering researchers have been studying how these vulnerabilities manifest themselves in software from an empirical, evidence-based perspective. While research knowledge has proven useful to academic audiences, the stories of how vulnerabilities arise in software have yet to gain a wider audience, namely in students and professional software engineers.
In this webinar, Dr. Andy Meneely will discuss his efforts to create the Vulnerability History Project (VHP). The VHP is a data source, a collaboration platform, and a visual tool to explore the engineering failures behind vulnerabilities. The VHP is a collaboration among undergraduate students, security researchers, and professional software engineers to aggregate, curate, annotate, and visualize the history behind thousands of vulnerabilities that are patched in software systems every year. This data curation project allows researchers to conduct in-depth studies of open source products, as well as educate software engineers-in-training and in the field on what can go wrong in their software project that leads to vulnerabilities.
Rochester Institute of Technology
Andy Meneely has been an assistant professor of Software Engineering at RIT since 2011. His research and teaching is focused on how software engineers can build secure systems, and how we can learn from software project histories in a both quantitative and qualitative ways. Andy received his PhD in Computer Science at North Carolina State University in Raleigh, North Carolina under Laurie Williams. His doctoral dissertation, titled Investigating the Relationship between Developer Collaboration and Software Security involved formulating metrics to examine the socio-technical structure of software development teams using social network analysis. His research has resulted in many top-tier academic publications. He also earned his Masters at NCSU in 2008. Andy received his Bachelors of Arts at Calvin College, Grand Rapids, MI where he was a double-major in Computer Science and Mathematics.
Bowling Green State University
Robert Dyer is an Assistant Professor in the Department of Computer Science at Bowling Green State University. He received his Ph.D. from Iowa State University in 2013. His research areas are in Software Engineering, Big Data applications, and Programming Languages. Currently his research focuses on the Boa project, that provides a domain-specific language and infrastructure to allow researchers to easily mine a very large number of software repositories. Robert has served on the program committee for Modularity and OOPSLA Artifacts and reviewed for journals such as Empirical Software Engineering. He is currently a member of ACM SIGSOFT and SIGPLAN, and the ACM SIGSOFT Webinar Coordinator.