Security is an ever present and growing problem in the web and mobile app domain. Norton reports that the number of reported mobile app vulnerabilities doubled from 2010 to 2011 and that one in eight legitimate web sites have at least one critical vulnerability. The impact of security vulnerabilities has also been amplified since users put increasingly more personal and sensitive information, such as banking, social networks, and photos, onto their mobile devices.

Tools that our group has developed, such as PUMA, SIF, and Violist, allow us to explore, monitor, and predict the runtime behavior of mobile apps. We are currently working on projects to apply these techniques to mobile apps with the goal of improving their security.

Our prior work in security focused on web applications. In particular, techniques for preventing SQL Injection attacks. Readers interested in a survey of SQL Injection Attack techniques may find our ISSSE 2006 paper useful. The AMNESIA technique is described in depth on its own page, as is the SQL Injection Testbed.

2011
[9]
Improving penetration testing through static and dynamic analysis. William G. J. Halfond, Shauvik Roy Choudhary, Alessandro Orso. In Software Testing, Verification and Reliability. John Wiley & Sons, Ltd. Volume 21 2011. ()
2009
[8]
Penetration Testing with Improved Input Vector Identification. William G. J. Halfond, Shauvik Roy Choudhary, Alessandro Orso. In Proceedings of the International Conference on Software Testing, Verification, and Validation. Apr. 2009. Best Presentation Award.
2008
[7]
WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. William G. J. Halfond, Alessandro Orso, Panagiotis Manolios. In Transactions on Software Engineering. Volume 34 2008. ()
2007
[6]
Malware Detection. William G.J. Halfond, Alessandro Orso. Chapter in Detection and Prevention of SQL Injection Attacks (S. Jha D. Song D. Maughan C. Wang, ed.). Springer 2007.
2006
[5]
Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. William G. J. Halfond, Alessandro Orso, Panagiotis Manolios. In Proceedings of the Symposium on the Foundations of Software Engineering (FSE 2006). November 2006.
[4]
Preventing SQL Injection Attacks Using AMNESIA. William G.J. Halfond, Alessandro Orso. In Proceedings of the International Conference on Software Engineering -- Formal Demo. May 2006.
[3]
A Classification of SQL-Injection Attacks and Countermeasures. William G.J. Halfond, Jeremy Viegas, Alessandro Orso. In Proceedings of the International Symposium on Secure Software Engineering. March 2006.
2005
[2]
AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. William G.J. Halfond, Alessandro Orso. In Proceedings of the International Conference on Automated Software Engineering. November 2005.
[1]
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. William G.J. Halfond, Alessandro Orso. In Proceedings of the International Workshop on Dynamic Analysis (WODA). May 2005.