Principal Research Scientist

SAP Security Research

About me

I am a Principal Research Scientist in the Security Research team at SAP. I am based in Sophia-Antipolis, in Southern France, and I have been with SAP since 2010.

My current interests are primarily in software security with an emphasis on ways to ensure a secure consumption of open-source software in large enterprise applications and the use of machine-learning to address this challenge (please see the publications section of this site for more details and links to pre-prints). I am a core member of the team that invented and developed Eclipse Steady, the tool that SAP has used since 2015 to scan the dependencies of its Java products. In February 2019 my colleagues and I also released the vulnerability dataset that fuels Steady at SAP; that dataset is now part of project KB.

Before joining SAP, I was a post-doc fellow and then a full-time researcher at the National Research Council (CNR) (Pisa, Italy) in Antonia Bertolino’s lab, where I spent four years overall.

During my PhD, in 2005 and 2006, I spent 7 months overall as a visiting researcher in Dorina Petriu’s team, at Carleton University, Ottawa.

I received both my PhD (2007) and my Master’s degree (2003) in Computer Science and Engineering from the University of Rome ‘Tor Vergata’ (Italy), under the guidance of Vincenzo Grassi and Raffaela Mirandola.

You may find additional information about me on LinkedIn and on Google Scholar.

To get in touch with me, just click here and write me a message.

Interests

  • Software Engineering
  • Software Security
  • Security of Open-Source Software
  • Applications of Machine Learning

Education

  • PhD in Computer Science and Automation Engineering, 2007

    University of Rome 'Tor Vergata'

  • MEng in Computer Science/Engineering, 2003

    University of Rome 'Tor Vergata'

Experience

 
 
 
 
 

Research Expert (Principal Scientist)

SAP Security Research

Jul. 2019 – Present Mougins, France
  • Automated approaches to identify, assess and mitigate vulnerabilities in open-source components
  • Learning source code representations for machine learning applications
  • Technical lead of EU-funded project AssureMOSS – https://assuremoss.eu
  • Lead of the Intelligent Code Analysis program at SAP Security Research
  • Lead of open-source project “KB”
 
 
 
 
 

Senior Researcher

SAP Security Research

Mar. 2013 – Dec. 2019 Mougins, France
  • Automated approaches to identify, assess and mitigate vulnerabilities in open-source components
  • Machine learning for software security analysis and vulnerability detection
 
 
 
 
 

Researcher

SAP Security Research

Oct. 2010 – Feb. 2013 Mougins, France
  • Lead architect in EU-funded project Assert4SOA
  • Security certification of Web Services
 
 
 
 
 

Post-doc Fellow (2006-2008), then Researcher (2008-2010)

CNR-ISTI

Jan. 2010 – Sep. 2010 Pisa, Italy
I worked in the domain of software testing, performance analysis, and monitoring, particularly in the context of service-oriented systems.
 
 
 
 
 

Vising Researcher (II)

Carleton University

May. 2006 – Aug. 2006 Ottawa, Canada

During this second visit at Carleton University, I worked with Dorina Petriu on combining concepts from the aspect-oriented paradigm and graph grammars to represent crosscutting concerns (performance, security) in software models.

 
 
 
 
 

Vising Researcher (I)

Carleton University

May. 2005 – Jul. 2005 Ottawa, Canada

Using graph grammars as a way to abstract information from software models, as a preliminary step for futher model transformation to a different target representation.

 
 
 
 
 

PhD Candidate

Univ. of Rome ‘Tor Vergata’

Oct. 2003 – Jun. 2007 Rome, Italy

PhD thesis on model-driven methods to automate the performance analysis of software systems

Selected publications (the most cited)

Projects

Eclipse Steady

Eclipse Steady supports software development organizations in regards to the secure use of open-source components during application development. The tool analyzes Java and Python applications in order to: detect whether they depend on open-source components with known vulnerabilities, collect evidence regarding the execution of vulnerable code in a given application context (through the combination of static and dynamic analysis techniques), and support developers in the mitigation of such dependencies.

AssureMOSS

The mission of AssureMOSS is to produce a coherent set of automated, lightweight techniques that allow software companies to assess, manage, and re-certify the security and privacy risks associated with the fast-paced development and continuous deployment of multi-party open software and services (for which we introduce the MOSS acronym).

Intelligent Code Analysis

Deep learning methods, which have found successful applications in fields like image classification and natural language processing, have recently been applied to source code analysis too, due to the enormous amount of freely available source code (e.

Contact

  • SAP Labs France -- 805, Avenue Maurice Donat, Mougins, 06254
  • DM Me