Security by Design through Constructive Software Security
The Secure Software Engineering Group develops methods and tools for Constructive Software Security. Current software engineering processes often treat security as a non-functional concern that is often included in the developers' consideration only late in the development process. The results are often disastrous, leading to secure security and privacy breaches, causing companies a significant loss in reputation and/or revenue, in addition to significant personal problems that can arise with privacy invasions such as identity theft.
The prime objective of the Secure Software Engineering Group is to mitigate prevent such problems from happening in the first place, by designing software with security built in, through a constructive software engineering process that considers security from the very beginning as an important software feature and a core asset. We develop methods that allow software developers to define security requirements, attack models and threat levels, and to unambiguously state how their piece of software fulfils those requirements, preventing the stated attacks. We develop effective automated and semi-automated tools that aid software developers in this task. Tool approaches include static and dynamic analyses for large-scale software as well as compilers for generating provably correct code from high-level, human-readable specification languages.