SSE 2020

The 6th International Workshop on Secure Software Engineering (SSE 2020)

to be held in conjunction with the 15 th International Conference on Availability, Reliability and Security
(ARES 2020 – )

August 25 – August 28, 2020

GOAL: Organizations are required often to produce secure software. They apply a software development and operation processes that integrate activities such as threat modeling, security code analysis, and security code review. The goal of the workshop is to bring together security and software development researchers and practitioners to share their finding, experiences, and positions about developing secure software. The workshop aims to encourage the use of scientific methods to investigate the challenges related to developing secure software. It aims also to increase the communication between security researchers and software development researchers to enable
the development of techniques and best practices for developing secure software.

Topics of interest include, but are not limited to

Experience with secure DevOps
Data-driven secure software development
Challenges for agile development of secure software
Incremental development of cyber-physical systems
Secure software development training and education

Tools supporting incremental secure software development
Usability of agile secure software development
Security awareness for software developers
Security and robustness testing in agile development

Important Dates
Submission Deadline May 4, 2020
Author Notification June 1, 2020
Proceedings Version June 19, 2020
ARES EU Symposium August 25, 2020
All-Digital Conference August 25 – August 28, 2020
Workshop ChaiR

Juha Röning
University of Oulu


Benjamin Aziz, University of Portsmouth, UK
Bhargava, Bharat, Purdue University, USA
Achim Brucker, University of Sheffield, UK
Joern Eichler, Freie Universität Berlin, Germany
Felderer, Michael, Universität Innsbruck, Austria
Vimal Kumar, University of Waikato, New Zealand
Lotfi ben Othmane, Iowa State University, USA
Sandra Ringman, Konstanz University of Applied Sciences, Germany
Juha Röning, University of Oulu, Finland
Markus Wagner, St.Pölten University of Applied Sciences, Austria
Edgar Weippl, SBA Research, Austria
Hasan Yasar, Carnegie Mellon University, USA
Koen Yskout, KU Leuven, Belgium
Mohammad Zulkernine, Queen’s University, Canada

Submission Guidelines

The submission guidelines valid for the SSE workshop are the same as for the ARES conference. It is necessary that all papers submitted to EasyChair are anonymized (no names or affiliations of authors should be visible in the paper).

They can be found at: . Select track: SSE 2020

Authors of selected papers that are accepted by and presented at the workshop will be invited to submit an extended version to special issues of international journals.

Keynote speaker

Hasan Yasar , technical manager of the Secure Lifecycle Solutions Group in the SEI’s CERT Division.

Title:Reviewing the DevSecOps community surveys: What we learned in the last 6 years on how to be a DevSecOps Elite

Abstract : We’ve spent six years studying the secure coding practices of DevOps and the continuous delivery organizations by surveying over 20,000 software professionals.  We’ve analyzed their staffing practices, educational priorities, automation choices, security tools usage and various software development processes that improve their cybersecurity preparedness. Our study has also uncovered details of where automation fails, awareness falls short and breaches happen.

We know, as a collective team, how to produce the highest quality of software by following a DevOps methodology. This methodology helps us enforce security checks at each phase in a SDLC.  We learned many lessons on how automation help improve security. For example, how happy developers vs grumpy developers effect better software security. More specifically, recent surveys point out that mature DevOps practices are 3.6x more likely to consider security as a top concern and 2x more likely to have automated governance and compliance. Mature DevOps practices are constantly testing, deploying, and validating that the software meets every requirement and allows for fast recovery in the event of a problem.

Hasan Yasar is the technical manager of the Secure Lifecycle Solutions Group in the SEI’s CERT Division. His group focuses on software development processes and methodologies, specifically on DevOps and development, and researches advanced image analysis, cloud technologies, and big data problems. It also provides expertise and guidance to SEI’s clients. Yasar has more than 25 years’ experience as senior security engineer, software engineer, software architect, and manager in all phases of secure software development and information modeling processes. He has an extensive knowledge of current software tools and techniques. He is also specializes in secure software solutions design and development in the cybersecurity domain, including data-driven investigation and collaborative incident management, network security assessment, automated, large-scale malware triage/analysis, medical records management, accounting, simulation systems, and document management. He is also an adjunct faculty member in the CMU Heinz College and Institute of Software Research where he currently teaches Software and Security and DevOps: Engineering for Deployment and Operations.

His current areas of professional interest include the following:

  • secure software development including threat modeling, risk management framework and software assurance model
  • secure DevOps process, methodologies and implementation
  • software development methodologies (Agile, Safe, DevOps)
  • cloud based application development, deployment and operations
  • software architecture, design, develop and management of large-scale enterprise systems