Lin Family Assistant Professor Daniel Votipka leads efforts to understand the processes and mental models of professionals who perform security tasks daily.
He also co-directs Tufts Security and Privacy Lab, which seeks to make the Internet safer through research focusing on how people build, operate, use, and defend systems.
Votipka's core research projects include:
- Secure Software Development
- Vulnerability Remediation
- Cybersecurity for All
Secure Software Development
Producing secure, trustworthy code is often a complex task as developers must know how to design with security in mind, know how to use appropriate languages, APIs, and other tools, and be able to identify security flaws in their implementations. Further, security is often a secondary task to functionality, limiting the amount of time and effort developers dedicate to security. In our research, we seek to understand the common mistakes developers make when performing secure development tasks and using existing tools so we can build more usable interfaces, making it easier for developers to produce secure code.
Vulnerability Remediation
When a vulnerability is made public, network administrators are expected to deploy patches or other mitigations to remediate these vulnerabilities. However, administrators must weigh the need to remediate against the impact these mitigations might have on their network, such as possibly disrupting critical services. To make this decision, weighing the potential cost of mitigation against the cost of not mitigating the vulnerability, administrators often rely on information about vulnerabilities provided by vendors, governments, and other third parties including expected severity and exploitability. We investigate the quality of this information, how it varies by vulnerability and provider, and how it is tracked across dependent software systems.
Cybersecurity for All
Unfortunately, there is limited capacity in today's workforce to complete the types of expert security work we focus on. Our research attempts to tackle this issue from multiple angles, all with the goal of making cybersecurity more accessible. The end goal of our work in other areas is to produce tools and other interventions that make cybersecurity tasks easier to perform and more efficient. However, these interventions only work for people who are able to join and actively participate in the community. To broaden the tent for cybersecurity, we are also investigating ways to improve cybersecurity education and reduce barriers to participation and entry for historically marginalized populations.