Home · Research · Essays · Link Farm · Podcast · Curriculum Vitæ · Impressum

Curriculum Vitæ

I work in computer security. In research, where my interests are getting broader and broader. For example, I use experimental methods to analyse security incidents, I analyse version archives to find and predict vulnerabilities; I confront long-held beliefs about security with actual data; and I work on security issues in software-defined networking. You can also hire me as a freelance security consultant.


I am interested in all aspects of Computer Security, but I have done most work in systems and software security. Most security problems are ultimately due to vulnerabilities in software, so I worked at the point where security and software engineering meet. I want to find out ways to cheaply make software more secure. This means research into new technologies, as well as research into software and business processes in order to understand where vunerabilities ultimately come from and how they can be eliminated or mitigated. To do this, I use experimental and empirical methods. These make use of controlled program re-runs and of artifacts created during program development.

I have also worked on the economics of security, exposing long-held beliefs about security to data, and I have only recently (spring of 2013) started to work on security issues in software-defined networking.

Another of my passions is teaching. In my various positions at various universities, I have always had great fun techning students about problems both old and new, both solved and unsolved.



Ph.D. in Computer Science, Saarland University, Saarbrücken, Germany. Thesis Topic: Repeating the Past: Experimental and Empirical Methods in System and Software Security.

Defense on February 6, 2008; grade: magna cum laude.


Diploma in Computer Science, Kaiserslautern University, Kaiserslautern, Germany.

Grade: With Honors (best possible grade).

Research Experience


Senior Lecturer, Zürcher Hochschule für angewandte Wissenschaften, Switzerland.

I teach students about computer science and do research in all aspects of computer security..


Senior Researcher, Communication Systems, ETH Zürich, Switzerland.

I work on empirical software security, security economics, security usability, and the security of software-defined networking.


Research Fellow, Universita degli Studi di Trento, Trento, Italy.

I worked on a EU project called MASTER, specifically on security and assurance indicators.


Scientific Assistant, Saarland U, Prof. Zeller, Saarbrücken, Germany.

I used data mining and statistical techniques on large software projects. This allowed me to predict which source files had as yet unknown vulnerabilities. In an application of this method to the Mozilla web suite, I produced a list of ten source files, five of which had security problems within the next six months. Work in progress includes trying to learn structured data in order to find vulnerability patterns and fixes. a broader study of the correlations between dependencies and vulnerabilities, and a broad study on correlations between source code metrics and vulnerabilities.

I also used capture/replay techniques to analyze security incidents automatically. This resulted in a system that successfully analyzed complex multi-stage attacks that cannot be analyzed with any other tool today. I used the same techniques to automatically find attack vectors for targeted attacks.

All my work was published at international top peer-reviewed conferences (NDSS, CCS and Software Engineering).

Teaching Experience


Lecturer, ETH Zurich, Switzerland

Many of these lectures are available on video; see for example here.


Teaching Assistant (TA) and Lecturer, Saarland U, Prof. Zeller, Saarbrücken, Germany

I gave a lecture on “Design of Secure Software Systems” that was nominated for Best Lecture Award in 2004. I also designed a new style of seminar, which has since been incorporated into the official module descriptions of the CS department. Besides acquainting the student with important papers in a specific field, these seminars have the additional goal of teaching students how to give compelling scientific presentations. The two instances when I taught this new seminar style were very well received by the students. Besides the courses listed below, which I either designed or where I was a major contributor, I also helped with two more Software Design labs (Winter 2006/2007, Winter 2004/2005), a Programming course (Summer 2007), and a Software Engineering course (Winter 2005/2006).

  • Seminar “Seminal Papers in Practical Computer Security” (Winter 2006/2007)
  • Seminar “Open Source Programming Tools” (Winter 2006/2007)
  • Lecture “Design of Secure Software Systems” (Summer 2004)
  • Software Design Lab (Winter 2003/2004)
  • C++ Refresher Course (Summer 2003)


TA and Lecturer, International University in Germany, Prof. Assenmacher, Bruchsal, Germany

  • Algorithms and Data Structures
  • Principles of Operating Systems
  • Software Engineering

Professional Experience


Freelance security consultant for Consecom AG. Consulting is under NDA. See here for a statement about additional money earned.


Freelance security consultant for Amstein + Walthert. Consulting is under NDA.


Freelance security consultant for Consecom AG. Consulting is under NDA.


Founder, Associate, and Chairman, Sasecure Computersicherheit GmbH, Saarbrücken, Germany.

This company specializes in consulting services that help companies understand and manage those risks that are induced by operating computers. This includes standard measures such as penetration testing and risk analysis, but also offers strategic services such as analysis of business processes. Companies that know and actively manage their risks have a competitive advantages over companies that do not, and those companies that invest in risk management will more likely prevail over their more reluctant competitors.


Founder, Associate and Executive, ASIS GmbH, Kaiserslautern, Germany

This company specialized in first-to-market industrial prototypes for financial institutions. Projects included: making one bank Y2K and Euro ready; programming the first German Home Banking Computer Interface (HBCI) server (for Siemens AG); mSign, a mobile digital signature application (for Brokat AG); and EPP, an XML-based protocol for processing mobile micropayments (for Encorus AG). When the company was sold to Brokat in 1999, I handled the financial and bookkeeping aspects, thereby gaining some knowledge of US-GAAP.



Freelancer, Saarbrücken, Germany

This was the forerunner to the company above. Projects include work on the HBCI server and on Y2K and Euro for the client bank.


System and Network Administrator, German Research Center for Artificial Intelligence (DFKI), Saarbrücken, Germany

The work included the administration of a heterogenous and geographically far-flung network of over 100 computers. In the course of my work, I developed a system that allowed for the database-supported remote administration and configuration of almost any computer. I also developed an early-warning system to detect network attacks (this was at a time when firewalls were new!).


conference papers

Stephan Neuhaus and Bernhard Plattner. Software Security Economics: Theory, in Practice. In Proceedings of the 2012 Workshop on the Economics of Information Security (WEIS 2012). [PDF]

Fabio Massacci, Stephan Neuhaus, and Viet Hung Nguyen. After-Life Vulnerabilities: A Study on Firefox Evolution, its Vulnerabilities, and Fixes. In Proceedings of the 2011 International Symposium on Engineering Security Software and Systems (EssOs 2011). [PDF]

Gabriela Gheorghe, Stephan Neuhaus, and Bruno Crispo. xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement. In Proceedings of the 4th IFIP WG 11.11 International Conference on Trust Management (IFIP-TM 2010). [PDF]

Stephan Neuhaus, Fabio Massacci and Viet Hung Nguyen. Are You Using the Wrong Vulnerability Database? The Importance of Data Sources. Poster at the 2010 USENIX Security Symposium (USENIX Security 2010).

Daniela Marino and Fabio Massacci and Andrea Micheletti and Natalya Rassadko and Stephan Neuhaus. Satisfaction of Control Objectives by Control Processes. In Proceedings of the 7th International Joint Conference on Service-Oriented Computing (ICSOC/ServiceWave 2009). [PDF]

Stephan Neuhaus and Thomas Zimmermann. Security Trend Analysis with CVE Topic Models. In Proceedings of the 21st IEEE International Symposium on Software Reliability Engineering (ISSRE 2010), San Jose, California, USA, November 2010. [PDF]

Stephan Neuhaus and Thomas Zimmermann. The Beauty and the Beast: Vulnerabilities in Red Hat's Packages. In Proceedings of the 2009 USENIX Annual Technical Conference (USENIX '09), June 2009. Acceptance rate: 16.8% (32/191). [PDF]

Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. Predicting vulnerable software components. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pages 529–540, October 2007. Acceptance rate: 18.2% (55/303). [PDF]

Stephan Neuhaus and Andreas Zeller. Isolating cause-effect chains in computer systems. In Software Engineering (SE) 2007, Lecture Notes in Informatics, pages 169–180, March 2007. Acceptance rate: 18.6% (13/70). [PDF]

Stephan Neuhaus and Andreas Zeller. Isolating intrusions by automatic experiments. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), pages 71–80, February 2006. Acceptance rate: 13.4% (17/127). [PDF]

workshop papers

Gabriela Gheorghe, Fabio Massacci, Stephan Neuhaus, and Alexander Pretschner. GoCoMM: A Governance and Compliance Maturity Model. In Proceedings of the first ACM workshop on Information security governance (WISG 2009). [PDF]

Stephan Neuhaus. Vorhersage von Lücken in Quellcode. In Proceedings des 2. SIDAR Graduierten-Workshops über Reaktive Sicherheit, page 10, 2007.

Stephan Neuhaus. Wie man Einbrüche mit Experimenten analysiert. In Proceedings des SIDAR Graduierten-Workshops über Reaktive Sicherheit, page 4, 2006.

Stephan Neuhaus. Experimentelle Methoden zum Aufspüren von Einbrüchen (8th Workshop on Software Reengineering). Softwaretechnik-Trends, 26(2):25–26, 2006.

Stephan Neuhaus. Isolating intrusions by automatic experiments. In Workshop “Trustworthy Software” 2006, Schloss Dagstuhl, Germany, 2006. 3 pages, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI).

other publications

Stephan Neuhaus. Repeating the Past Experimental and Empirical Methods in System and Software Security. PhD Thesis. [PDF]

Stephan Neuhaus and Andreas Zeller. Schwachstellensucher. iX 4(2008):132–136.

Stephan Neuhaus. Statistical properties of IDEA session keys in PGP. [PS], 1993.

Stephan Neuhaus. Buffer Overflows und Lösungen dazu. Survey Article, [PDF], 2003.


conference talks

Software Security Economics: Security, in Practice, WEIS 2012, Berlin, Germany, June 2012

Predicting Vulnerable Software Components, CCS 2007, Alexandria, VA, USA, 2 November 2007

Isolating Cause-Effect Chains in Computer Systems, SE 2007, Hamburg, Germany, 30 March 2007

Isolating Intrusions by Automatic Experiments, NDSS 2006, San Diego, CA, USA, 2 February 2006

workshop talks

Predicting Vulnerable Software Components, WISSec 2007, Luxembourg, Luxembourg, 20 September 2007

Vorhersage von Software-Schwachstellen, SPRING 2007, Dortmund, Germany, 25 July 2007

Wie man Einbrüche mit Experimenten analysiert, SPRING 2006, Berlin, Germany, 12 July 2006

Isolating Intrusions by Automatic Experiments, Trustworthy Systems Workshop 2006, Saarbrücken, Germany, 18 May 2006

invited talks

Security Metrics In Context, MetriSec 2010 keynote, 2010, September 2010

Experimental Methods of Intrusion Analysis, Luxembourg University, 2006, 7 November 2006

Statistical Tests, Dagstuhl Seminar on Dynamic Analysis, 2005, Dagstuhl, Germany, 29. June 2005

Professional Activities

pc membership

Workshop on Quality of Protection (CCS 2008)

external reviews

Deutsche Software Engineering-Konferenz (SE 2007)
Deutsche Software Engineering-Konferenz (SE 2005)
Transactions on Software Engineering (TSE, 2005)


ACM, IEEE Computer Society

Hobbies and Interests


Guitarist, singer, arranger, and band member.

Awards and Honors


Third place in first round of Federal Mathematics Competition.


Prof. Andreas Zeller
Saarland University
Department of Informatics
Postfach 15 11 50
66041 Saarbrücken, Germany
Email: zeller [at] cs.uni-sb.de
Phone: +49 (681) 302-64011

Prof. Thomas Zimmermann
University of Calgary
Department of Computer Science
2500 University Drive NW
Calgary, Alberta, T2N 1N4, Canada
Email: zimmerth [at] cpsc.ucalgary.ca
Phone: +1 (403) 210-9470

Dr. Holger Assenmacher
Ternius GmbH

Lindenstraße 14
67685 Eulenbis, Germany
Email: assen [at] ternius.de
Phone: +49 (6374) 99 31 15

Valid XHTML 1.0 Strict Valid CSS!