My research focuses on computer security, specifically human-centered security, software supply chain security, and open source development, with recent work examining the security implications of AI-assisted software development and autonomous agents.

My recent publications are available on the publications page.

Interests:

Some of my main research interests include:

Human-Centered Security and Privacy. Investigating how developers, security professionals, and other stakeholders understand and respond to security concerns, especially in complex environments and systems [C19, C17, C16, C11, C9].

Software Supply Chain Security. Studying how software is packaged, built, and distributed, with focus on security-relevant issues such as reproducibility, dependency management, and vulnerability metadata [C20, J1, W3, C14, C13].

Open Source Security and Trust. Analyzing practices in distributed development environments, including contribution workflows, coordination mechanisms, and the handling of vulnerabilities or secrets [C18, C15, C12, C10].

AI, Agents, and Software Security. Investigating how AI agents reshape software development, software supply chains, and open source security practices. This includes adversarial and defensive uses of autonomous agents, AI models as supply chain components, and the security and coordination challenges introduced by large-scale automated participation in open source projects.

Methods:

I leverage both qualitative and quantitative methods, often in a mixed-methods approach. This includes interviews [C19, C17, C14, C13, C12, C10], large-scale analyses of software ecosystems and repositories [C20, C18, C16, C14], user experiments [C11, C8], and surveys [C14, C6] to identify behavioral patterns, systemic risks, and the practical constraints software experts encounter when engaging with security mechanisms.