Lieven Desmet

Lieven Desmet

I'm the Research Manager on Secure Software in the imec-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where I outline and implement the research strategy, coach junior researchers in (web) application security, and participate in dissemination and valorisation activities.

I'm also involved in the Open Web Application Security Project (OWASP) as a board member of the Belgium OWASP Chapter, and part of the organization team of the upcoming OWASP AppSec EU 2015 conference in Amsterdam.

Moreover, as program director of, I'm responsible for putting together the widely acclaimed 'secure software development' training programme, to closely align this programme with trends and challenges in research and industry, and to attract top instructors from all over the world.

LinkedInMy up-to-date CV can be found at

PGP Key fingerprint: 9597 45EE 3E23 E79C 614B D7BB DC30 0E62 3D26 C255

Research collaborations

To implement and execute the research strategy of our group, I contribute to the inception, submission and execution of various research projects. For instance, I successfully contributed to multiple EU-FP7 projects (a.o. WebSandNESSoSSTREWS), iMinds ICON projects (a.o. CUSTOMSSPUMADREAMaaS) and the IWT-SBO project SEC SODA, and I have setup several direct research collaborations with industry partners (contract research). 

Please feel free to contact me if you have an interesting idea to pursue, or if you want to discuss opportunties to join a project consortium!


Key publications:

  1. Lieven Desmet, Martin Johns, Real-time communications security on the web, IEEE Internet Computing, volume 18, issue 6, pages 8-10, November 2014 download0 475597bibtex
  2. Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns, Primer on client-side web security, Springer, 2014 471439bibtex
  3. Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, Frank Piessens, A security analysis of next generation web standards, Technical Report, European Network and Information Security Agency (ENISA), 31 July 2011 download0 317385bibtex
  4. Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, Frank Piessens, JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications, Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC 2012), pages 1-10, Orlando, Florida, USA, 3-7 December 2012 download0 360451bibtex
  5. Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens, Automatic and precise client-side protection against CSRF attacks, European Symposium on Research in Computer Security (ESORICS 2011), Lecture Notes in Computer Science, volume 6879, pages 100-116, Leuven, Belgium, 12-14 September 2011 download0 311551bibtex

Research interests

The most recent activities of my team of researchers drill down on the security of (web) applications in a multi-tenant, multiple domain context.

With CsFire, we propose a novel client-side mitigation technique against Cross-Site Request Forgery, based on the fine-grained identification of malicious cross-domain requests as well as the stripping of implicit credentials as proposed in RequestRodeo. With the most recent trusted delegation policy, presented at ESORICS 2011, our solution securily protects the user against CSRF, while preserving important scenarios such as third-party payment (e.g. paypal) and third-party authentication (SSO). CsFire is available as a extension for Firefox and Chromel.

With WebJail and JSand, we are securily integrating third-party JavaScript content according to a least-privilege security policy. This secure composition policy is inspired by a recent HTML5 security study our team conducted on 13 emerging W3C web specification (HTML5 and friends), commissioned by the European Network and Information Security Agency (ENISA). More recently, we have been involved in the security assessment of WebRTC/RTCWeb, in close collaboration with colleagues from W3C, IETF and SAP.

Finally, we have contributed to security middleware solutions. We have developed middleware to provide complex security services (such as non-repudiation) in multi-tier web environments, as well as a scalable authorization architecture to enable XACML authorization in SOA environments. To also support the dynamic reconfiguration of policy enforcement in such a distributed authorization system, we have proposed a runtime management tool (presented at Middleware 2011) to satisfy both security and performance needs.

Software verification

During my PhD, I worked on a broad variety of topics, including static software verification, run-time monitoring, dynamic software architectures and web service security. The main topic of my PhD dissertation is the combination of static and dynamic software verification to guarantee the absence of broken data dependencies in data-centered component-based applications. My most recent publication on this topic is published in IEEE Transactions on Software Engineering: Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies

In 2008, I went abroad to Aachen (Germany) for a six months research visit at the European Microsoft Innovation Center (EMIC). At EMIC, I worked together with Microsoft Research and the Universität des Saarlandes on the formal verification of the Microsoft Viridian HyperVisor, which is part of Windows Server 2008. This research was done in the context of the Verisoft XT project.

Contact info

  • Office: 04.144
  • Address:
    Dept. Computer Science
    Celestijnenlaan 200A
    B-3001 Heverlee
  • Tel: +3216326259
  • Fax: +3216327996
  • Email: Lieven Desmet
  • Personal homepage