2026-04-25 –, Seminar Room 1
We’re often told "don't roll your own crypto" or "don't build your own auth." It’s great advice for most, but it begs the question: What about the people who have to build the stuff everyone else relies on? When you’re developing the core libraries, kernels, or protocols that the rest of the world trusts, "best effort" security testing is simply not enough.
Standard tools like fuzzing and static analysis (SAST) are world-class at finding bugs, but they are inherently reactive. They can tell you that you have a vulnerability, but they can never prove that you don't. This raises the question of what we can, and should, do when we need to go beyond the "find-and-patch" cycle.
In this talk, I will explain the ideas underlying widely used security testing techniques such as fuzzing and static analysis, examining their strengths and weaknesses. This will be contrasted with a plain-English look at how formal verification, which offers the promise of being "mathematically proven", allows us to show the absence of entire vulnerability classes. I will also discuss why "mathematically proven" isn't a silver bullet and address the practical limitations of verifying complex systems.
If you’ve ever wondered how the foundations of the internet are secured, or if you are building a component where a single bug constitutes a catastrophic failure, this session will show you how to move beyond the "Whac-A-Mole" of bug hunting.
The audience should have beginner-to-intermediate software development experience, i.e., being able to understand small program snippets containing typical software vulnerabilities. No deep knowledge of security testing (or formal verification) is required.
University of Exeter
Achim is a Professor in Computer Science (Chair in Cybersecurity) and Head of the Cybersecurity Group at the University of Exeter, UK.
He has over 20 years of professional experience in cyber security in
general, and, in particular, in research and development of safety
and security critical systems. In his work, he particularly focuses
on techniques, methods, and tools for ensuring the safety, security,
correctness, and trustworthiness of advanced systems.
His industry experience includes being a Security Architect and
Security Testing Strategist for SAP SE. In this role, he defined the
risk-based security testing strategy of SAP that combines static,
dynamic, and interactive security testing methods and integrates
them deeply into SAP's Secure Software Development Life Cycle.
He is supporting security initiatives and events in the South West,
building bridges between industry, academia, and the local
community. Amongst others, he is a member of the SWCSC Steering
Committee and the BSides Exeter Steering Committee.