We need solutions that work in both theory and practice. However, as truth is stranger than fiction, this means that to attain this grand goal we cannot simply retreat to our study but will need to draw insight from empirical data. That is, unless a tool is easy to use properly, although it may be secure in theory, it can still prove a liability in practice – which goes for both end-users and developers.
An essential aspect of our research is the empirical understanding of potential attacks and the threat landscape. This ranges from attacks on critically important Web applications all the way to adversaries aiming to phish users' credentials. In this research area, we focus on measuring threats at scale in the wild and identifying threats to users at an early stage. To this end, we develop novel methods for detecting vulnerabilities at Internet-scale, with a specific focus on Web applications. By combining large-scale measurements with methods from the social sciences, we also explore how technologies can be designed to be used in a secure and private way by both lay users and developers. A key strength of the research area is the strong connection between automated tools for detection and usability aspects of novel solutions to prevent attacks before they can happen, e.g., through developer-centric security tooling.