Ruhr-Uni-Bochum

Riccardo Scandariato (Technische Universität Hamburg)

"Model-based security: Connecting models and code"

Copyright: Riccardo Scandariato

Abstract. This talk is positioned in the concept areas of "security by design" and “shifting security left”. In particular, it elaborates on the idea of addressing security threats at a higher level of abstraction, like, for instance, in the architectural design of a software system. In this respect, several model-based security techniques have been defined in literature, e.g., to check security and privacy properties in a design model. This talk will briefly review some of these techniques and problematize their adoption with respect to the emerging trends of fast-paced development and software supply chains. The talk will also illustrate how model extraction, feature localization and model-to-code traceability can be leveraged to mitigate some of these challenges. The case of microservice applications will be used as an example and the talk will present some emerging results obtained in the context of AssureMOSS, a research project funded by the EU.

Biography. Riccardo Scandariato is a father, an amateur photographer, and a professor at the Hamburg University of Technology (in no particular order). At TU Hamburg, he leads the Institute of Software Security, which has been newly founded in late 2020. Previously, he was a full professor at the University of Gothenburg, Sweden. When social media were still yet to come, he obtained his PhD in Computer Science from Politecnico di Torino, Italy. Together with his team, Riccardo applies an interdisciplinary approach to create innovative tools and techniques to design and implement secure and privacy-friendly applications. At the Institute of Software Security, the target application domains are micro-services, Internet-of-Things ecosystems, and cyber-physical systems. While the main interest is in the technical aspects of software security, the group also investigates how security techniques can be made more effective and usable for the developers. The core research topics are: Model-based security, program repair for software security, benchmarking security features in application software, prediction of software vulnerabilities, threat and risk analysis, usable security and privacy.