Software has become a major factor of our daily lives and a central part of nearly all sectors of economic activity. It is not only found on computers, but essential to the operation of mobile phones and networks, home appliances, ATMs, cars, airplanes, medical devices, and financial and business systems. The exploitation of vulnerabilities in software can affect thousands or even millions of people and lead to massive damages.
The main goal of the secureIT project is to significantly reduce the vulnerability of software systems. This is done by developing intelligent analysis technology that will help software engineers by automatically detecting vulnerabilities in source code during development, well before they can be exploited.
To create this technology, the project will address two fundamental challenges:
(1) Vulnerability prediction based on the detection of vulnerability smells and security anti-patterns. Vulnerability smells are symptoms of source code that negatively impact software security. These are not concrete errors but indication of weaknesses that increase the risk of a security problem. Security anti-patterns are patterns in source code that are known to lead to security issues.
(2) Vulnerability prediction by automatically learning common patterns from existing software and detecting how the source code of the investigated system deviates from the learned patterns. This is somewhat similar to the way that credit card companies detect suspicious transactions and avoid fraud.
The proposed research is at the forefront of international scientific thinking and will increase the scientific excellence of research in Norway with an innovative and interdisciplinary approach to reducing the digital vulnerability of ICT. The outcomes will strengthen the competitiveness of Norwegian industry and promote Norway as a research and innovation leader on secure software development.
The results of the project include an open, systematically collected dataset of source-code vulnerabilities and a framework to assist in collecting and updating such datasets. Moreover, we've published a study that examines the challenges of predicting vulnerability solely from function names, and several papers that investigate how automated program repair for bugs, including security vulnerabilities, can be improved and extended to a wider range of defects. We continued our investigation by comparing techniques for embedding source code in machine-learning and hybrid formats for bug repair, and by examining the use of knowledge graphs for vulnerability assessments. Finally, the rapid advances in large language models for code have enabled a shift toward automated and semi-automated vulnerability repair using LLM-based techniques, as well as agentic debugging and repair approaches.
A key outcome of the secureIT project is the establishment of a strong and sustainable international research network in automated debugging and repair of security vulnerabilities in source code. The project has led to lasting changes in research competence and practice among participants, evidenced by continued academic careers of both secureIT-funded postdoctoral researchers in Norway and Italy, where they further develop and transfer expertise originating from the project. secureIT also strengthened international mobility and collaboration by attracting an ERCIM Alain Bensoussan Postdoctoral Fellow from UCL, who continued this work under a Marie Sklodowska-Curie Postdoctoral Fellowship, and by serving as a pipeline for early-career researchers. In particular, a master’s student involved in secureIT was later recruited as a strategically funded PhD candidate at Simula, working on agentic approaches for security hardening source code, and currently conducting a research visit at the CISPA Helmholtz Center for Information Security in Germany.
Beyond the outcomes envisioned in the original proposal, secureIT has significantly impacted research infrastructure and research practice in software security. A central impact is the development and continued maintenance of the CVEfixes dataset, an openly available research resource that links real-world security vulnerabilities (CVEs) to their corresponding source code fixes and metadata. CVEfixes supports reproducible empirical research and systematic evaluation of vulnerability detection and repair techniques, and has been widely adopted by external researchers and industry beyond the secureIT consortium. As such, it constitutes a lasting contribution to the research infrastructure for the software security and automated program repair communities. In parallel, as the project initially focused on security assessment and the identification of vulnerable code, rapid advances in large language models for code enabled a shift toward automated and semi-automated repair of identified vulnerabilities. This expanded the project’s impact from vulnerability detection to actionable remediation, with relevance for both academic research and industrial software development practices. In the longer term, secureIT contributes to societal impact by advancing methods, datasets, and conceptual foundations to improve software security at scale. The combination of open empirical resources such as CVEfixes with emerging agentic repair techniques supports the development of secure and trustworthy intelligent systems, with potential downstream effects on software engineering practice, security assurance, and the robustness of digital infrastructure. These impacts are being consolidated through follow-up research initiatives led by the PI, currently under evaluation (Q1 2026).
Software has become a central part of nearly all sectors of economic activity, and our daily lives have become increasingly dependent on complex software-intensive systems, i.e., systems in which software interacts with other software, other systems, devices, sensors and with people. Exploitation of vulnerabilities in software can affect thousands or even millions of people and lead to massive damages.
The secureIT project will help reduce software vulnerabilities by addressing the problem at its source: We will develop advanced methods and techniques that help software engineers predict the vulnerability of source code during development, well before it can be exploited.
The overall goal of this project is to significantly reduce digital vulnerability of ICT by devising intelligent automated software security assessment technology that supports software engineers by systematically and continuously predicting the vulnerability of source code in the development stage.
We reach this goal using three scientific break-throughs that will advance the state of the art in software security assessments:
(1) Vulnerability Prediction based on Vulnerability Smells and Security Anti-Patterns
(2) Anomaly-based Vulnerability Prediction
(3) Improving Vulnerability Predictions using Historical Data
Timeliness: The secureIT project builds on the PI's earlier achievements in automated software inspection, code smell detection, cross-language information flow analysis in heterogeneous systems, and frequent pattern mining and anomaly detection in high-volume data. Recent advances in machine learning together with the PI's new results on automatically learning patterns in high volume data and generalizing them using rule aggregation [27 in project description] make that now is the best time to start this research. Software vulnerability needs to be reduced, and the global state-of-the-art was not at the required level to start this ambitious research undertaking until just recently.
