Overview

Modern software engineering paradigms embrace ‘shift left’ ideology; shift the security consideration to as early as possible in the development lifecycle. After all, proactive prevention is significantly cheaper than reactive fixing and patching.

However, developing secure code is no easy task. We enable this transition through intelligent data-driven tool support, that operates ‘just-in-time’ before vulnerabilities would enter a codebase.

Publications

• LineVD: Statement-level Vulnerability Detection using Graph Neural Networks. 2022.
• On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models. 2022.
• Automated Security Assessment for the Internet of Things. 2021.
• Deepcva: Automated commit-level vulnerability assessment with deep multi-task learning. 2021.
• A Survey on Data-driven Software Vulnerability Assessment and Prioritization. 2021.
• Deep Learning for Source Code Modeling and Generation: Models, Applications, and Challenges. 2021.
• An empirical study of rule-based and learning-based approaches for static application security testing. 2020.
• Automated Software Vulnerability Assessment with Concept Drift. 2019.

Project Members

• Triet Le
• Roland Croft
• Mehdi Kholoosi

Overview

AI-based and data-driven solutions for software vulnerability analytics are being increasingly accepted by industry. Snyk, one of the biggest security vendors, uses an AI engine for their source code analysis tool.

However, data and information quality serves as a major limiting barrier to any data-driven approach. Reliance on software vulnerability reporting practices leads to weak label indicators and poor data quality.

In this project, we analyse the data quality of software vulnerability information sources, and provide robust methods to overcome such challenges.

Publication

• Noisy Label Learning for Security Defects. 2022.
• An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources. 2022.
• Data Preparation for Software Vulnerability Prediction: A Systematic Literature Review. 2021.

Project Members

• Triet Le
• Roland Croft
• Mehdi Kholoosi

Overview

Developer-centric security aims to empower developers to be capable of individually achieving an organisation’s security goals. At the base, developers need adequate security knowledge and awareness to achieve such aims.

However, in the modern software security landscape, a secure software developer is required to know and memorize thousands of security weaknesses and patterns to defend against, and this list of required knowledge is growing every day. Developers cannot keep up with the abundance of security information that they need to process.

In this project, we provide tools and services to automatically disseminate large-scale security knowledge from open sources.

Publication

• An empirical study of developers’ discussions about security challenges of different programming languages. 2022.
• Challenges in Docker Development: A Large-scale Study Using Stack Overflow. 2020.
• A Large-scale Study of Security Vulnerability Support on Developer Q&A Websites. 2021.
• PUMiner: Mining Security Posts from Developer Question and Answer Websites with PU Learning. 2020.

Project Team

• Triet Le
• Roland Croft
• Mubin Ul Haque
• Mehdi Kholoosi
• Ali Kazemi Arani

Overview

Containers become increasingly popular as a virtualization technology to build softwarized infrastructures. A container includes an application and its dependencies such as code, libraries, and configuration files to support a target application. Thus, containers promote modularity and reproducibility, two of the reasons for making containers popular.

Security is a critical consideration while adopting containerization. Several survey results among software professionals indicated security as the top-concern in establishing a reliable container environment.

In this project, we leverage various automated approaches to develop tools and techniques to better understand the developers’ viewpoint on security while adopting container technologies. We study a large volume of container-related data in open source software repositories (GitHub), Question/Answering Platforms (Stack Overflow, Docker Forum) as well as container image repositories (Docker Hub) to find and analyse the security issues.

This research will help container developers and researchers to understand container security requirements, provide a broad view of possible security attacks and their countermeasures.

Publications

• Well Begun is Half Done: An Empirical Study of Exploitability & Impact of Base-Image Vulnerabilities. 2021.
• KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration. 2021.
• Challenges in docker development: A large-scale study using stack overflow. 2020.

Team Members

• Mubin Ul Haque

Overview

Due to the sheer number of attacks, machine learning has become a popular choice for phishing detection systems. However, an intelligent attack can easily fool or get around these detection systems via adversarial inputs.

We investigate the types of attacks that an adversary may perform, and provide defences against them.

Publications

• ReinforceBug: A framework to generate adversarial textual examples. 2021.
• An evasion attack against ml-based phishing url detectors. 2020.

Team Members

• Bushra Sabir