Funding agencies:


I'm the Research Manager on Secure Software in the DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where I outline and implement the research strategy, coach junior researchers in (web) application security, and participate in dissemination and valorisation activities.

My main research interests are in (web) application security and software verification. I'm also involved in the Open Web Application Security Project (OWASP) as a board member of the Belgium OWASP Chapter. In addition, I have organized the refereed paper track at the OWASP AppSec Conference Europe.

Research collaborations

To implement and execute the research strategy of our group, I contribute to the inception, submission and execution of various research projects. For instance, I successfully contributed to multiple EU-FP7 projects (a.o. WebSand, NESSoS), IBBT ICON projects (a.o. CUSTOMSS, PUMA, DREAMaaS) and the IWT-SBO project SEC SODA, and I have setup several direct research collaborations with industry partners (contract research). More information about past and ongoing projects can be found here.

As IBBT ICON coordinator, I coordinate and supervise the submission of ICON project proposals for the IBBT security department. ICON projects are demand-driven and interdisciplinary research projects, executed by a consortium of IBBT labs and local industry partners, funded by IBBT and IWT.

More information about the upcoming IBBT ICON call can be found here. Please feel free to contact me if you have an interesting idea to pursue, or if you want to discuss opportunties to join a project consortium!

Research interests

The most recent activities of my team of researchers drill down on the security of (web) applications in a multi-tenant, multiple domain context.

With CsFire, we propose a novel client-side mitigation technique against Cross-Site Request Forgery, based on the fine-grained identification of malicious cross-domain requests as well as the stripping of implicit credentials as proposed in RequestRodeo. With the most recent trusted delegation policy, presented at ESORICS 2011, our solution securily protects the user against CSRF, while preserving important scenarios such as third-party payment (e.g. paypal) and third-party authentication (SSO). CsFire is available as a extension for Firefox 3.5 and higher, and we are working on a Chrome version as well.

In addition, we are exploring the security impact of client-side and server-side mashups. With WebJail (presented at ACSAC 2011), we are securily integrating third-party JavaScript content according to a least-privilege security policy. This secure composition policy is inspired by a recent HTML5 security study our team conducted on 13 emerging W3C web specification (HTML5 and friends), commissioned by the European Network and Information Security Agency (ENISA).

Finally, we have contributed to security middleware solutions. We have developed middleware to provide complex security services (such as non-repudiation) in multi-tier web environments, as well as a scalable authorization architecture to enable XACML authorization in SOA environments. To also support the dynamic reconfiguration of policy enforcement in such a distributed authorization system, we have proposed a runtime management tool (presented at Middleware 2011) to satisfy both security and performance needs.

Software verification

During my PhD, I worked on a broad variety of topics, including static software verification, run-time monitoring, dynamic software architectures and web service security. The main topic of my PhD dissertation is the combination of static and dynamic software verification to guarantee the absence of broken data dependencies in data-centered component-based applications. My most recent publication on this topic is published in IEEE Transactions on Software Engineering: Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies

In 2008, I went abroad to Aachen (Germany) for a six months research visit at the European Microsoft Innovation Center (EMIC). At EMIC, I worked together with Microsoft Research and the Universität des Saarlandes on the formal verification of the Microsoft Viridian HyperVisor, which is part of Windows Server 2008. This research was done in the context of the Verisoft XT project.