I'm the Research Manager on Secure Software in the iMinds-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where I outline and implement the research strategy, coach junior researchers in (web) application security, and participate in dissemination and valorisation activities.
I'm also involved in the Open Web Application Security Project (OWASP) as a board member of the Belgium OWASP Chapter, and part of the organization team of the upcoming OWASP AppSec EU 2015 conference in Amsterdam.
Moreover, as program director of SecAppDev.org, I'm responsible for putting together the widely acclaimed 'secure software development' training programme, to closely align this programme with trends and challenges in research and industry, and to attract top instructors from all over the world.
My up-to-date CV can be found at https://www.linkedin.com/in/lievendesmet
PGP Key fingerprint: 9597 45EE 3E23 E79C 614B D7BB DC30 0E62 3D26 C255
To implement and execute the research strategy of our group, I contribute to the inception, submission and execution of various research projects. For instance, I successfully contributed to multiple EU-FP7 projects (a.o. WebSand, NESSoS, STREWS), iMinds ICON projects (a.o. CUSTOMSS, PUMA, DREAMaaS) and the IWT-SBO project SEC SODA, and I have setup several direct research collaborations with industry partners (contract research).
As iMinds ICON coordinator, I coordinate and supervise the submission of ICON project proposals for the iMinds Security Department. ICON projects are demand-driven and interdisciplinary research projects, executed by a consortium of iMinds labs and local industry partners, funded by IBBT and IWT.
More information about the upcoming iMinds ICON call can be found here. Please feel free to contact me if you have an interesting idea to pursue, or if you want to discuss opportunties to join a project consortium!
The most recent activities of my team of researchers drill down on the security of (web) applications in a multi-tenant, multiple domain context.
With CsFire, we propose a novel client-side mitigation technique against Cross-Site Request Forgery, based on the fine-grained identification of malicious cross-domain requests as well as the stripping of implicit credentials as proposed in RequestRodeo. With the most recent trusted delegation policy, presented at ESORICS 2011, our solution securily protects the user against CSRF, while preserving important scenarios such as third-party payment (e.g. paypal) and third-party authentication (SSO). CsFire is available as a extension for Firefox 3.5 and higher, and we are working on a Chrome version as well.
Finally, we have contributed to security middleware solutions. We have developed middleware to provide complex security services (such as non-repudiation) in multi-tier web environments, as well as a scalable authorization architecture to enable XACML authorization in SOA environments. To also support the dynamic reconfiguration of policy enforcement in such a distributed authorization system, we have proposed a runtime management tool (presented at Middleware 2011) to satisfy both security and performance needs.
- Steven Van Acker, Nick Nikiforakis, Lieven Desmet, Wouter Joosen, Frank Piessens, FlashOver: Automated discovery of cross-site scripting vulnerabilities in rich internet applications, AsiaCCS, Seoul, 2-4 May 2012
- Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens, Automatic and precise client-side protection against CSRF attacks, European Symposium on Research in Computer Security (ESORICS 2011), Lecture Notes in Computer Science, volume 6879, pages 100-116, Leuven, Belgium, 12-14 September 2011
- Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, Frank Piessens, A security analysis of next generation web standards, Technical Report, European Network and Information Security Agency (ENISA), 31 July 2011
- Philippe De Ryck, Lieven Desmet, Thomas Heyman, Frank Piessens, Wouter Joosen, CsFire: Transparent client-side mitigation of malicious cross-domain requests, Engineering Secure Software and Systems, Lecture Notes in Computer Science, volume 5965, pages 18-34, Pisa, Italy, 3-4 February 2010
During my PhD, I worked on a broad variety of topics, including static software verification, run-time monitoring, dynamic software architectures and web service security. The main topic of my PhD dissertation is the combination of static and dynamic software verification to guarantee the absence of broken data dependencies in data-centered component-based applications. My most recent publication on this topic is published in IEEE Transactions on Software Engineering: Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies
In 2008, I went abroad to Aachen (Germany) for a six months research visit at the European Microsoft Innovation Center (EMIC). At EMIC, I worked together with Microsoft Research and the Universität des Saarlandes on the formal verification of the Microsoft Viridian HyperVisor, which is part of Windows Server 2008. This research was done in the context of the Verisoft XT project.