Secure Software Systems Lab (S³ Lab)

About the Lab

The Secure Software Systems Lab (S³ Lab) conducts research at the intersection of software engineering and cybersecurity. Our work focuses on improving security across the software lifecycle, from early-stage design and requirements engineering to post-deployment vulnerability management.

We combine formal methods, machine learning, and empirical software analysis to:

  • Automate the detection and reasoning of security weaknesses in requirements and early design documentation,
  • Evaluate and improve vulnerability scoring and prioritization systems, and
  • Develop tools that make secure-by-design practices more practical and scalable.

Our goal is to advance both the science and practice of building secure, trustworthy software systems.

Current Projects

Data-Driven Vulnerability Management and Risk Prioritization

Our group investigates how organizations assess and prioritize software vulnerabilities in practice and how these processes can be improved through data-driven methods. We study the strengths and limitations of existing scoring systems and analyze how well these metrics align with each other and with real-world exploitation trends. Building on our recent empirical studies, we are developing metrics and models that combine statistical analysis and machine learning to provide more accurate, context-aware vulnerability prioritization. Students involved in this project can explore vulnerability datasets, perform correlation and predictive analyses, and contribute to the design of next-generation risk assessment tools that better support security decision-making.

Detecting Security Weaknesses in Software Requirements and Early Design

This project focuses on improving software security at its foundation: the early requirements and design stages. We are building automated methods to detect and explain potential security weaknesses in natural-language requirements even before code is written. Our work integrates machine learning (ML) with formal reasoning to translate informal requirements into analyzable specifications and identify design-level flaws such as missing access controls or weak authentication mechanisms. Building on our published research in secure requirements engineering, this ongoing effort aims to create practical tools that help developers and analysts reason about security early in the software lifecycle. Students involved in this project can gain hands-on experience with formal modeling, ML, and empirical evaluation of early design security analysis tools.

Join the Lab

The S³ Lab welcomes motivated students interested in the intersection of software engineering and cybersecurity.

Interested students (undergraduate or graduate) should reach out via email.