Andy Meneely — B. Thomas Golisano College of Computing & Information Sciences
In today’s digital society, software is more than a convenience: it’s our livelihood. The software that runs our lives must be secure. The cost of insecure software is more than monetary, it’s impacts us as consumers, patients, and citizens. The burden of delivering secure software falls squarely on the shoulders of today’s software engineers. Every vulnerability is an engineering failure that can have its roots in software design problems, team collaboration issues, socio-technical factors, and many others.
Dr. Meneely studies the phenomenon of software vulnerabilities by mining software repositories and trying to understand how these mistakes are made and missed. Using a combination of design metrics and human factors metrics, researchers in Meneely’s lab develop machine learning models for predicting the occurrence of vulnerabilities. These models are useful for prioritizing fortification efforts for software development teams, but they also speak to underlying truths about how humans work on code. In a recent study, for example, researchers in Meneely’s lab were able to show that developers who participate in a discussion for a vulnerability x with their colleagues are less likely to have vulnerabilities in their own code later on. In another study, researchers in Meneely’s lab were able to predict vulnerabilities by simulating how attackers would search for weaknesses.
All of this historical research on vulnerabilities is also useful for the classroom. This research has been the foundation for the Engineering Secure Software course, a required course for the Software Engineering curriculum developed by Dr. Meneely. Using data from actual, historical vulnerabilities means that students get to experience what real software development is like, and what attackers are typically looking for.
B. THOMAS GOLISANO COLLEGE OF COMPUTING AND INFORMATION SCIENCES