phd security github

elmanto.github.io

Getting a ph.d. in system security – the faq.

I remember when I was a master’s student, unsure about the path to take, and surrounded by questions like “Is the Ph.D. a good road?” or some months later, after my first papers rejected, “Did I choose right?”. Once, an old professor told me something like, “doing a Ph.D. is like a 3-year vacation”. Probably to some extent, or in some cases, this sentence could be plausible, but more likely, I guess this was an appealing way to convince young students to start a career in academia.

This blog post arises from here, from the lack of information about this road and wants to describe my personal experience demystifying some common legends and answering some questions that future/current Ph.D. students may have. I don’t pretend that my point of view is shared among all of you and similarly that many people read this, but my hope is to give a hint to all students uncertain about what to do with their life after their Master’s Degree or during the academic period. Thus I will go through some points that I consider quite useful and informative, and for each of them, I’ll highlight what my approach looks like. I point out that the choices I made don’t necessarily have to be considered correct, and it is very likely that the correctness depends on several other factors such as your interests, final goal, lifestyle, etc. But I opted to tell the story ``as-is’’, describing my personal point of view and collecting information just from one source: my direct experience. Finally, note that many of the aspects I will describe are related to the topic of my research, which is system security. While some points could be common with other research areas, honestly, I do not know how much overlapping there can be between security and other fields, which are very far.

Before starting

My starting point.

When I started, one of the first things I noticed was the different backgrounds between me and the other doctoral students. Indeed I individuated three main scenarios. Some students start the 3-year academic period with a super-strong background on their topic. Others, instead, know very basic concepts related to the field of interest but have good skills that allow them to overcome the initial difficulties (e.g., super good at coding). Somewhere between these two configurations, there was me.

The university where I came from (University of Genoa) is definitely not a top one in Italy, and at the same time, it is not famous for providing a super-strong background in system security. During the MSc, I took only ONE security class and ONE (very generic) operating system class while I believe these are the two fundamental subjects in my research area. Luckily I had the opportunity to meet some skilled people (mostly the Ph.D.s of my old university) during my bachelor’s and master’s degrees that helped me to move my first steps in security, for instance, by introducing me to the CTF world or pointing me to some fundamental concepts of the field. With a bit of personal effort and some hints from the right people, in the last year of master’s degree, I had some basic knowledge about several topics such as vulnerability detection and exploitation in simple web/C applications as well as reversing of binary code. Nothing special, but this allowed me to apply for a Ph.D. position and be considered eligible for that.

Is there anything I can do to understand if I like the Ph.D. life?

Try it yourself. Probably the best thing that you can do is to face a research problem alone, no matter if it gets published or not. For instance, in my case, I focused my master thesis on a research project that luckily, in the end, became a top-tier publication, even though obviously at that time I was not sure about the research direction. Understanding how the public research world works helped me a lot to realize that I really loved that activity. This was probably one of the main motivations behind the choice of starting the Ph.D.

During the Ph.D.

In this central chapter I emphasize several aspects that are related to the actual 3-year Ph.D. period, ranging from background factors such as the environment, human aspects, etc. to more fundamental aspects like the approach I had during this period or the topic choice.

The topic choice

One of the first choices that novice doctoral students have to make is related to the main topic they will be focusing on for the upcoming three years. Although this is somehow a trivial consideration, let me say that this choice is extremely important. The good news is that overall, picking one topic does not exclude the chance to do research in other fields in your area. For instance, while the main topic of my research was theoretically focusing on human-in-the-loop approaches for binary analysis, in parallel, I could experiment with different research threads such as malware analysis and fuzzing. The bad news is that in the end, you will be required to write a thesis on your topic, which is way easier if all your papers are linked to the same root subject. Also, while IMHO it completely makes sense to be ``curious’’ at this time, and explore different research areas that may be not strongly related with your thesis topic, I suggest you to choose a subject that motivates you and in which you feel real interest. This will help you to keep working on it for the full duration of your student status and to cultivate your interest in it.

Honestly, I am curious by nature and I never felt that my thesis topic was not sufficiently motivating me to push hard with my work. But there are papers and papers and each one deserves a specific judgment. For instance, among the three papers in the final thesis document, one was a human study (i.e., a study that involves experiments with some users to investigate how humans perform a certain activity) that I loved and I am very proud of. However, inherently I like technical challenges, and thus I opted to skip other potential human study papers that could fit in the thesis because I preferred to seek different ones combining technical complexity as well as a close relationship to the topic. This had the effect of reducing the search space for my candidate papers and, in the end, resulted in some complications of the thesis plot, but on the other hand, this allowed me to understand better what I like more and what instead is a bit too far to represent the core of my job. If I came back, I think I would do the same in the end, with no regrets because I am very proud of all papers that I contributed. Just, I noticed there are some topics that are more stimulating than others. This is also a cool thing about the Ph.D., you develop some new interests in some previously-unknown topics, and you discover some subjects don’t worth investigating for you.

The horizontal vs vertical dilemma

Related to the previous chapter on the subject choice, I want to speak about what I named the “horizontal vs. vertical” dilemma, one of the mental trips that affected my mind during the last three years. Put it simply, one can decide to move only “vertically”, exploring very deep and nested aspects of his/her topic and becoming a very specialized expert in that context. The alternative way instead, is to move “horizontally” and work on subjects that are not necessarily a specification of the parent one. As you may have guessed, I belong to the second category, even though for all three years I had doubt about what was the best choice. For instance, I wondered very often which strategy was the best to look for a job in a second moment. However, this is the classical moment where you make a decision and follow it. Then what was my decision based on? Well, what made the difference for me was the freedom in my research activity to consider different areas. This is why I don’t have regrets, and I would re-do the same.

This ofc does not imply that the vertical approach is wrong, and honestly I really appreciate people who followed this direction and focused on a single topic for the entire duration of the Ph.D. Nevertheless, I feel satisfied with my choice, and I believe this is too personal to give suggestions. Just, be aware that both solutions are valid and bring pros/cons, and your final choice should be what makes you feel better. My personal suggestion is that unless you start a Ph.D. with a very specific goal (“I want to work on exactly this specific X aspect of this Y field with this Z initial assumptions”), moving “horizontally” will help you to manage and learn multiple aspects at 360 degrees. Then you’ll do your considerations and go for the top 2 or 3 arguments that you learned to love. In other cases, feel free to select the strategy you like, very probably you’ll never lose as you always have a backup plan (your starting topic).

The ``push push push’’ philosophy

Put it simply, don’t start a Ph.D. if you don’t want to work that much. If your expectation is to have an office-like schedule where every day you enter/exit at the same time this is not going to fly. IMHO, the time you dedicate on a project should be ``goal-dependent’’. At least in an initial phase, it totally makes sense that you go relatively slow. If you want to gift yourself with some free days, this is the right moment. But whenever you start to collect interesting results, well, that is the moment to change mindset and start to push and accelerate to conclude that project ASAP. Still, this doesn’t mean you cannot enjoy your free time. But let’s say that there will be moments to relax and moments to work. And in these last moments, you should be very focused on your goals.

You may wonder why. My answer is that a Ph.D. is, at least in part, a period you dedicate to study and grow as a technical individual. Also, this is probably the last period you have in your life to study what you want. Whenever you finish that, you will have two possibilities: industry and academia. In the former case, probably same-age people already started to work 3 years before. You have to be very well-prepared if you want to work in research or other industry positions. In the latter case, you have to push to simply maximize your papers, that is what will definitely help you to become, one day, a professor.

TBH, one of the few things I would change about my Ph.D. is that at least during the first year I didn’t push that much. When you start you think that you will have enough time for sure and you can afford some reduced-speed days. ERROR! It turns out that time is precious especially for a Ph.D. where the final thesis defense can happen only if you have a sufficient number of papers. Moreover, wasted time is also a damage to your intrinsic learning activity that is what in the end will pay out your time spent in the laboratory of a certain university. Finally, as a more practical point of view, I believe it is much better to enjoy your free time after your work is done rather than the opposite.

The learning process

Another reason that motivated me was to spend a proper amount of time to learn new things because I felt that my level of preparation was unsufficient after the Master degree, at least for my personal standards. While studying new concepts is not a thing you can do exclusively during a Ph.D., I believe this period is particularly suitable to learn novel approaches/technologies/tools/theories/etc. Now, what happened in my experience is that I learned things from two separate sources. Of course, doing research and experimenting with custom approaches to solve a certain security problem was the first one and it helped me a lot to learn new things on-the-fly. You can play with very different technologies and techniques that will become part of your background and at the same time you will be ready to increase your knowledge level about a specific topic.

On the other hand, I would not be the same person if I hadn’t studied ``stuff’’ on my own. Obviously, not random stuff, but just what you exactly like. For instance, what helped me was playing CTFs, an educational approach that taught me many things and led me to understand what I liked more, other directions to improve, ..

On top of this, I had the possibility to dedicate my time exactly on what I loved. One month I wanted to study nested operating system concepts and I had time for this. Another month I was studying compilers. Yet another one I was focusing on a new programming language. And this was not strongly required by my papers, was just for personal satisfaction and curiosity.

This has also the advantage that you will conclude the Ph.D. with a new skill, that is, “learn to learn”. When you get used to study things, grep in the source code, look for materials, well you’ll become faster to approach also very different and complicated problems. But before “learning to learn” try to be sure, at the beginning of the Ph.D. that one of your interests is actually “learning”. If you’re not curious, then maybe the Ph.D. is not for you.

The academic workflow

For those who are not familiar with the academic workflow, I’ll give a short introduction here. This is needed to understand the following sections, especially when I deal with topics such as “reviewers” or “accepted paper”. Let’s say you have discovered a super novel approach or performed a very interesting measurement about a specific phenomenon, eventually you will decide to write a scientific paper about it. Typically you’ll be using a specific language a.k.a. Latex (theoretically you can use also Word, but I strongly discourage this choice for questions of dignity), a system for documents writing and preparation that allows you to specify fine-grained settings to generate high-quality files, that commonly in our case are PDF files. Each paper is different and depending on several factors it can take more or less to write it down. To give you an estimation, I would say one month is needed to write a high-quality paper for a top conference (more about ``top conference’’ later) avoiding a rush and without becoming mad for the deadline. But of course exception to this rules exist, you will experience them if you start in academia.

That being said, when you start to write the paper, you will target either a conference or a journal. Each conference/journal has a ranking that determine its importance and consequently the difficulty to get the paper accepted. In security, some popular conferences are IEEE S&P, ACM CCS, Usenix and NDSS while a popular journal is TOPS. Independently on your target, a certain number of reviewers will be in charge of reading your paper, criticising it and deciding for an acceptance or a rejection of the paper. Reviewers can have different expertise levels about that specific topic, ranging from the very expert, to knowledgeable, until the security guy that knows about it but works on other security aspects. Obviously in case of acceptance you’re done with your job, whereas, in case of rejected paper, you’ll need to fix the paper to address the reviewers’ comments and submit it to a different conference. Now, the actual process is a bit more complicated, for instance there are some intermediate steps like “early-reject”, “rebuttal” and “major revision” that eventually can turn into an accepted or rejected paper. Moreover, some differencies exist between each conference/journal but at least now you have a basic understanding. Let me just add that the reviewing process is done, in most of the cases, according to a policy that we name ``double-blind’’, i.e., the paper’s authors don’t know who the reviewers are and viceversa. This, of course, to ensure that no bias exists in the reviewing mechanism.

The stress of publishing

I start by saying that each research group has different constraints in terms papers needed to defend your Ph.D.. In my research group (the S3 lab at Eurecom), the internal rule was to require 3 papers to be accepted at the time of the defense, even though very often the acceptance of the third paper could be relaxed, for instance by allowing that the third paper is under submission at the time of the defense. I totally agree that you need a way to measure the productivity of a Ph.D. student, that is necessary for several things. BUT, especially during the last year, I felt like this was not a good criteria. Indeed, unfortunately, the acceptance of a paper does not depend totally on you but instead very often the submission process introduces a combination of stress and waste of time, that lead to a delay in the fulfilment of the requirements. Probably the worst enemy of the Ph.D. student is that famous Reviewer B, that systematically rejects your paper with statements like “this work is under the bar of our top-tier conference” or “this paper lacks of this specific experiment” while you have an entire section about that. Now, since I am leaving from academia, I am not in the position to suggest a way to improve the peer-review, but what I want to underline are two things. First, to the reviewer: try to think that in several cases the paper you are rejecting is the result of a year of work of a young student that may want to receive some precious feedback. If you, dear reviewer B cannot really find any qualities (that is absolutely possible), at least be polite and behave like a real expert would do, i.e., by giving useful suggestions to young practitioners of that topic. Second, to the professors: I perfectly see you need to set a threshold at some point, to establish if a person is, or not, ready to obtain a Ph.D. as well as to justify the fact you hired a person to accomplish a certain job. But please, consider the entire path of a student, where he/she started, the topic and what he/she reached. I heard about stories of other labs in different universities where the professor presses a lot the students to maximize the number of papers. If these voices are true, as I believe, this is not fair.

W.r.t. this, I don’t have specific recommendations for future Ph.D. students, but I wanted to describe a classical problem that you may meet if you work on system security. Especially if your topic is not the hype of the moment, this may become even harder, as it will be complicated to find reviewers that know that subject. Obviously, I don’t want to say you should decide the topic depending on the difficulty of getting it accepted. But don’t forget that some topics are harder to get accepted than others. And, finally, ask about the minimum number of papers to obtain a Ph.D. in that group before starting. If it is more than one per year, and you don’t see any possibility to relax the constraint, maybe that advisor is more a manager rather than a professor. Then, as always, it’s up to you, but cope with this.

In general I am quite optimistic about my life and I was so even when my paper was rejected 4 times. A possible strategy that I can suggest for those who are not really interested at pursuing an academic career is to downgrade the conference ranking when you’re turning closer to the madness because of an high number of rejections. When I did it I got the paper instantly accepted into a slightly minor conference (AsiaCCS). Then of course, if you have time and you want to have that paper at top because i) it deserves a top conf in your opinion ii) you want it to have more visibility iii) personal satisfaction to go to top conference, then keep on submitting to the big 4, eventually you’ll get accepted.

Resiliency to bad research failure and delayed gratification

As another consequence of the academic research pipeline, I’m going to illustrate now the concept of “resiliency”. Yes, because when we experiment with a novel approach we are forced to try and re-try until we get the results we want (if we can get them). This can require from one attempt to several distinct attempts and re-implementations that internally help to form our character. This is what I mean with resiliency, and believe that it is a fundamental skill you will get in a Ph.D. and will never abandon for your following jobs, in academia and industry alike. On the other hand, this will come at the expense of a “delayed gratification”. You will be rewarded, not when you get the first good results, but when you get a paper accepted that could take much more time because as I mentioned in the paragraph before, does not depend on you. Honestly, I believe this is a reasonable price to learn a skill that would be extremely difficult to develop otherwise and that can potentially help a lot. But anyway, if you are going to start a Ph.D., be prepared to fail before succeed, make errors before correct implementations and get rejected before accepted. I know this is not fun, but it is part of the game. This is kind-of unavoidable I think. It’s unavoidable because it’s basically impossible to implement the correct approach at the first attempt and consequently getting your cool results published immediately. Therefore I cannot really suggest how my approach looked like for this sub-problem. Indeed, with this paragraph, I just want to inform you that this phenomenon exists and yes you aren’t the only one affected.

Being advised

DISCLAIMER: I had a very good relationship with my advisor and I cannot tell anything except that I learned a lot with him.

But in this section, I want to underline some patterns that I noticed in my personal experience (as well as in other student-advisor) relationships and that I find quite reasonable in the end.

• First, this is quite trivial, but don’t expect your advisor to write code or do technical things with you. This totally makes sense as professors are responsible for many other things (committees, other students, teaching, university internal things, looking for money to pay you, ..).
• Second, slightly less trivial, don’t expect positive feedback. I mean, if you’re working well, that’s fine. If you’re not working properly, in that case you could get ``negative’’ feedback, but of course this is another story. The main takeaway of this is, do not be worried about not getting positive feedback when you accomplish a series of intermediate steps in your research work.
• Connected to these two aspects, try to be as autonomous as possible. This is for you rather than your advisor. Obviously a discussion about the research direction is totally fine, but, it’s way better for you to be able to work alone most of the time, and ask for intervention only in important cases.
• Another thing that I learned is that compressing the amount of information that you need to share with him/her leads very often to faster responses. The classical example is: you have some preliminary results that come out from a complicated set of experiments with several corner cases. Try to abstract, synthesize and report the meaningful info if you want to hear feedback from him/her, unless you have a complicated problem with one of the edge cases. Only in that case it is worth to enter in details.
• Probably the best suggestion I can give you is to evaluate the human side of your advisor in addition to the technical value. This is priceless because several times you will need the expertise and the advices of a professor during your path, for several contexts, and counting on a person that can put you in the right direction and you trust is definitely a boost for your academic journey.

Team working

Another soft skill you’ll be developing during your Ph.D. is, in several cases, the ``team working’’. Indeed, in several cases a research project has several co-authors where at least two or three co-operate to produce the results in a faster way. I believe this is very good, because you can try different configurations of your team depending on the paper. And moreover, typically you will meet people with a different background, modus operandi and other aspects such as the seniority. While you should see this as an opportunity, giving to you the chances to improve yourself and compare your way of working with other people that potentially have worked in that field for several years, there could be cases where the co-operation is made more difficult because of certain aspects. The best thing you can do is to agree with the co-authors about the code and the strategies you are following before the final implementations. It’s annoying to change your 1-month codebase after a discussion with a co-author but it’s way better to sync on this at the very beginning. Then, IMHO it’s better to split the tasks in threads, a thread for co-author. Then, everyone works on a specific part of the project and there are no annoying overlappings that could result in hazards. Finally, if the problem is more on the human side, then this is more a general question, but I believe that you should try to ignore the personal problems and involve your advisor only if the situation becomes hot.

Actual Ph.D. duration

In France this is 3 years. It can reach almost 4 years if you require an extension, for instance to conclude your thesis or to submit your last paper, but it depends. I think this depends also on where your future will be. Are you planning a long-term stay in academia? You can definitely afford to stay one year more as a Ph.D. in your lab, this will help you to learn even more subtle things about the academic life. Are you leaving from academia? Then once you’re done with the papers there is no value in extending your Ph.D., at least IMHO.

Background factors (part I): human aspects and geographical location

This is probably the most under-evaluated type of aspect: background factors. For instance speak about the environment, which includes the colleagues, the office, etc. These are extremely important to increase the productivity of an environment. There is not just work, but it’s also cool to chat about several topics with some colleagues in the morning in front of a cup of coffee. W.r.t. this, I was super-super-super lucky and I met an actual ``second’’ family at Eurecom. And this of course contributed to the feeling of being happy to reach your office in the morning to start working and abandoning it in the night after working hard for a good beer with your team. And also think about secondary factors like the office itself (are you used to working in a silent space? You can accept noise? How many virtual calls do you make per day?) as well as the geographical location. This last point also plays a certain role. Indeed, while it is important to be productive during the hours you are in front of your laptop, it is also essential to enjoy your 3-year experience at 360 degrees, including your social life outside your campus/university. Therefore, try to seek for a laboratory in a city that has some attractions. Small villages in the middle of nothing will only make you even more stressed and depressed after the first papers’ rejections.

Background factors (part II): research incentives

This is quite obvious, but to be 100% clear: you don’t start a Ph.D. for money, start a Ph.D. due to your passion and interests. Thus, look at the salary when you start to understand if this allows you to live with dignity in that region but don’t be worried if the apartment you are renting is a single-room studio as it was in my case. This is normal, you’ll have your chance to gain much more money after the Ph.D. and consider this as an investment in yourself.

In my case the net salary was approximately 1750 euros + ~150 euros of tickets to buy food. Life in the French Riviera (where EURECOM is located) is not cheap, a studio can be between 600 to 750 euros per month, and in addition you have to eat, live, and maintain a car (not mandatory, but I had it). By doing some maths, you can easily see that I didn’t become rich during the Ph.D. but in the end I could survive and still save some money.

And moreover, there are other incentives for you. Want to know what? Each conference paper accepted is one trip in a cool city (at least usually) and the university/lab typically pays entirely it. Obviously I was not that lucky because at the second year covid-19 started and lasted until the end of the third year, but you’ll be definitely more lucky than me. For instance, the only conference that I attended was NDSS, that historically takes place in San Diego. I let you imagine how carefully I attended the conference ;)

After the Ph.D.

Maybe one day I will write a new blogpost about the ``post-Ph.D.’’ life, but now it’s not the time as I have just finished it at the time of the writing. Thus in this last paragraph, I’ll quickly describe some considerations about this phase.

In the end I went for industry. But from my understanding all roads are open, even though for an academic path you should publish a lot. I opted for industry because, of course, money but also because I wanted to do something more applied into real-world as well as I didn’t like some aspects of academia. For now, I’m joining Qualcomm to work on vulnerability stuff even though I did interviews with other companies before choosing. A consideration related to this is the application time: if you plan to stay in industry, do not apply too early neither too late. I think you can start to search 4-5 months before the defense, but be aware that recruiters very often know that a Ph.D. thesis is a delicate period for an individual, and may prefer other more immediate applications. Also, positions after a Ph.D. are super-specialized (unless you want to do the consultant), bear with it. It may take some time before finding a job that matches all your requirements. But on the other hand, you can definitely start with a job and change it in a second moment when you find a better one.

My final comment? Start a Ph.D. only if you feel this is the right road for you. Then it will become one of the best periods (and jobs) of your life. Don’t get confused by people who say this is needed for working or other similar things. The risk to trash your time is very high in this second case.

I hope that with these words I clarified some aspects/gave some hints about what doing a Ph.D. is. Do you have more questions? Drop me a message on direct (twitter) or an email. Eventually I also plan to add other paragraphs to this list, but let’s see.

Cybersecurity Guide

From scholar to expert: Cybersecurity PhD options

In this guide

• Industry demand
• 2024 rankings
• Preparation
• Considerations
• School listings

The cybersecurity landscape is not just growing—it’s evolving at a breakneck pace. And what better way to stay ahead of the curve than by pursuing a PhD in cybersecurity?

This advanced degree is no longer confined to the realm of computer science. Today, it branches into diverse fields like law, policy, management, and strategy, reflecting the multifaceted nature of modern cyber threats.

If you’re looking to become a thought leader in this dynamic industry, a PhD in cybersecurity offers an unparalleled opportunity to deepen your expertise and broaden your horizons.

This guide is designed to give prospective cybersecurity PhD students a general overview of available cybersecurity PhD programs. It will also outline some of the factors to consider when trying to find the right PhD program fit, such as course requirements and tuition costs. 

Industry demand for PhDs in cybersecurity

Like other cutting-edge technology fields, until recently, cybersecurity PhD programs were often training grounds for niche positions and specialized research, often for government agencies (like the CIA, NSA, and FBI),  or closely adjacent research organizations or institutions. 

Today, however, as the cybersecurity field grows to become more pervasive and consumer-oriented, there are opportunities for cybersecurity PhDs to work at public-facing companies like startups and name-brand financial, software, infrastructure, and digital service firms.

One trend that is emerging in the cybersecurity field is that cybersecurity experts need to be well-versed in a variety of growing threats. If recent headlines about cybersecurity breaches are any indication, there are a number of new attack vectors and opportunities for cybercrime and related issues. Historically, committing cybercrime took resources and a level of sophistication that required specialized training or skill.

But now, because of the pervasiveness of the internet, committing cybercrime is becoming more commonplace. So training in a cybersecurity PhD program allows students to become an experts in one part of a growing and multi-layered field.

In fact, this trend of needing well-trained, but adaptable cybersecurity professionals is reflected by the move by cybersecurity graduate schools to offer specialized master’s degrees , and many companies and professional organizations offer certifications in cybersecurity that focus on particular issues related to cybersecurity technology, cybersecurity law , digital forensics , policy, or related topics.

That said, traditional research-oriented cybersecurity positions continue to be in demand in academia and elsewhere — a trend that will likely continue. 

One interesting facet of the cybersecurity field is trying to predict what future cybersecurity threats might look like and then develop tools and systems to protect against those threats.

As new technologies and services are developed and as more of the global population begins using Internet services for everything from healthcare to banking — new ways of protecting those services will be required. Often, it’s up to academic researchers to think ahead and examine various threats and opportunities to insulate against those threats.

Another key trend coming out of academic circles is that cybersecurity students are becoming increasingly multidisciplinary.

As cybersecurity hacks impact more parts of people’s everyday lives, so too do the academic programs that are designed to prepare the next generation of cybersecurity professionals. This emerging trend creates an enormous amount of opportunity for students who have a variety of interests and who are looking to create a non-traditional career path.

The best cybersecurity PhD programs for 2024

Capella university, georgia institute of technology, northeastern university, marymount university, school of technology and innovation, nova southeastern university, college of computing & engineering, purdue university, stevens institute of technology, worcester polytechnic institute, university of illinois at urbana-champaign, mississippi state university, new york institute of technology.

These rankings were compiled from data accessed in November 2023 from the Integrated Post-Secondary Education Data System (IPEDS) and College Navigator (both services National Center for Education Statistics). Tuition data was pulled from individual university websites and is current as of November 2023.

What is required to get a PhD in cybersecurity?

Good news first: Obtaining a PhD in a field related to cybersecurity will likely create tremendous employment opportunities and lead to interesting and dynamic career options.

Bad news: Getting a PhD requires a lot of investment of time and energy, and comes with a big opportunity cost (meaning you have to invest four to five years, or longer, or pursue other opportunities to obtain a doctoral degree. 

Here’s a quick breakdown of what is required to get a PhD in cybersecurity. Of course, specific degree requirements will vary by program. One growing trend in the field is that students can now obtain degrees in a variety of formats, including traditional on-campus programs, online degree programs , and hybrid graduate degree programs that combine both on-campus learning with online learning. 

Related resources

• Online PhD in cybersecurity – A guide to finding the right program
• Cybersecurity degree programs
• Podcast episodes and expert interviews

Preparing for a cybersecurity doctorate program

Cybersecurity is a relatively new formalized technology field, nonetheless, there are several ways that students or prospective PhD candidates can get involved or explore the field before and during a graduate school program. A few examples of ways to start networking and finding opportunities include: 

Join cybersecurity organizations with professional networks

Specialized professional organizations are a good place to find the latest in career advice and guidance. Often they publish newsletters or other kinds of information that provide insights into the emerging trends and issues facing cybersecurity professionals. A couple of examples include:

The Center for Internet Security  (CIS) is a non-profit dedicated to training cybersecurity professionals and fostering a sense of collaboration. The organization also publishes information and analysis of the latest cybersecurity threats and issues facing the professional community.

The SANS Institute runs several different kinds of courses for students (including certification programs) as well as ongoing professional cybersecurity education and training for people working in the field. The organization has several options including webinars, online training, and live in-person seminars. Additionally, SANS also publishes newsletters and maintains forums for cybersecurity professionals to interact and share information.

Leverage your social network

Places like LinkedIn and Twitter are good places to start to find news and information about what is happening in the field, who the main leaders and influencers are, and what kinds of jobs and opportunities are available.

Starting a professional network early is also a great opportunity. Often professionals and members of the industry are willing to provide guidance and help to students who are genuinely interested in the field and looking for career opportunities. 

Cybersecurity competitions 

Cybersecurity competitions are a great way to get hands-on experience working on real cybersecurity problems and issues. As a PhD student or prospective student, cybersecurity competitions that are sponsored by industry groups are a great way to meet other cybersecurity professionals while getting working on projects that will help flesh out a resume or become talking points in later job interviews.

The US Cyber Challenge , for example, is a series of competitions and hackathon-style events hosted by the Department of Homeland Security Science and Technology Directorate and the Center for Internet Security to prepare the next generation of cybersecurity professionals.

Internships

Internships also continue to be a tried and true way to gain professional experience. Internships in technical fields like cybersecurity can also pay well. Like the industry itself, cybersecurity internships are available across a wide range of industries and can range from academic research-oriented to more corporate kinds of work. 

Things to consider when choosing a cybersecurity PhD program

There are many considerations to evaluate when considering any kind of graduate degree, but proper planning is essential to be able to obtain a doctoral degree. It’s also important to note that these are just guidelines and that each graduate program will have specific requirements, so be sure to double-check.

What you will need before applying to a cybersecurity PhD program:

• All undergraduate and graduate transcripts
• A statement of intent, which is like a cover letter outlining interest
• Letters of reference
• Application fee
• Online application
• A resume or CV outlining professional and academic accomplishments

What does a cybersecurity PhD program cost?

Obtaining a PhD is a massive investment, both in terms of time and money. Cybersecurity PhD students are weighing the cost of becoming an expert in the field with the payoff of having interesting and potentially lucrative career opportunities on the other side.

Degree requirements are usually satisfied in 60-75 hours, so the cost of a doctoral degree can be well into the six-figure range. Here’s a more specific breakdown:

Tuition rates

The Cybersecurity Guide research team looked at 26 programs that offer a cybersecurity-related PhD degree. Here’s a breakdown of tuition rates (all figures are based on out-of-state tuition).

$17,580 is the most affordable PhD program option and it is available at the Georgia Institute of Technology.

$86,833 is the average cost of a cybersecurity PhD and is based on tuition rates from all 26 schools.

$197,820 is the most expensive cybersecurity PhD program and is available at Indiana University Bloomington.

The good news is that by the time students get to the PhD level there are a lot of funding options — including some graduate programs that are completely funded by the university or academic departments themselves.

Additionally, funding in the form of research grants and other kinds of scholarships is available for students interested in pursuing cybersecurity studies. 

One example is the CyberCorps: Scholarships for Service program. Administered by the National Science Foundation, PhD students studying cybersecurity are eligible for a $34,000 a year scholarship, along with a professional stipend of $6,000 to attend conferences in exchange for agreeing to work for a government agency in the cybersecurity space after the PhD program. 

Frequently asked questions about cybersecurity PhD programs

Most traditional and online cybersecurity graduate programs require a minimum number of credits that need to be completed to obtain a degree. On average, it takes 71 credits to graduate with a PhD in cybersecurity — far longer (almost double) than traditional master’s degree programs. In addition to coursework, most PhD students also have research and teaching responsibilities that can be simultaneously demanding and great career preparation.

At the core of a cybersecurity doctoral program is a data science doctoral program, you’ll be expected to learn many skills and also how to apply them across domains and disciplines. Core curriculums will vary from program to program, but almost all will have a core foundation of statistics.  

All PhD candidates will have to take a series of exams that act as checkpoints during the lengthy PhD process. The actual exam process and timing can vary depending on the university and the program, but the basic idea is that cybersecurity PhD candidates generally have to sit for a qualifying exam, which comes earlier in the program (usually the winter or spring of the second year of study), a preliminary exam, which a candidate takes to show they are ready to start the dissertation or research portion of the PhD program, and a final exam where PhD students present and defend their research and complete their degree requirements. 

A cybersecurity PhD dissertation is the capstone of a doctoral program. The dissertation is the name of a formal paper that presents the findings of original research that the PhD candidate conducted during the program under the guidance of faculty advisors. Some example cybersecurity research topics that could potentially be turned into dissertation ideas include: * Policies and best practices around passwords * Ways to defend against the rise of bots * Policies around encryption and privacy * Corporate responsibility for employee security * Internet advertising targeting and privacy * The new frontier of social engineering attacks * Operation security (OpSec) strategy and policy * Network infrastructure and defense * Cybersecurity law and policy * The vulnerabilities of biometrics * The role of ethical hacking * Cybersecurity forensics and enforcement

A complete listing of cybersecurity PhD programs

The following is a list of cybersecurity PhD programs. The listing is intended to work as a high-level index that provides enough basic information to make quick side-by-side comparisons easy. 

You should find basic data about what each school requires (such as a GRE score or prior academic work) as well as the number of credits required, estimated costs, and a link to the program.

Arizona State University

• Aim: Equip students with in-depth expertise in cybersecurity.
• Study Modules: Delve into advanced computer science subjects and specific cybersecurity courses.
• Research Component: Students undertake groundbreaking research in the cybersecurity domain.

Carnegie Mellon University

• CNBC Collaboration: A joint effort between Carnegie Mellon and the University of Pittsburgh to train students in understanding the brain's role in cognition.
• Training Program: Students take four main neuroscience courses and participate in seminars and ethics training.
• Course Integration: Whether students have a B.S. or M.S. degree, they can combine the CNBC and ECE Ph.D. courses without extra workload.

Colorado School of Mines

• Research Focus: Cybersecurity: Studying online security and privacy.
• Cost and Financial Aid: Provides details on program costs and available financial support.
• Current Mines Community: Offers specific information for those already affiliated with Mines.

Indiana University Bloomington

• Focus Areas: Options include Animal Informatics, Bioinformatics, Computer Design, and more.
• Information Sessions: The university holds events to guide potential students about admissions and study options.
• Minor Requirement: All Ph.D. students must complete a minor, which can be from within the Luddy School of Informatics or from another approved school at IU Bloomington.

Iowa State University

• Details: The program is open to both domestic and international students.
• Time to Complete: Ph.D.: About 5.2 years
• Goals: Students should gain deep knowledge, follow ethics, share their findings, and do advanced research if they're writing a thesis.
• Learning Goals: Master core areas of Computer Science, achieve in-depth knowledge in a chosen subfield, obtain expertise to perform original research, and demonstrate the ability to communicate technical concepts and research results.
• Duration: Median time to earn the doctorate is 5.8 years.
• Application Information: The program is open to both domestic and international students.
• Program's Aim: The Ph.D. program is tailored to produce scholars proficient in leading research initiatives, undertaking rigorous industrial research, or imparting high-level computer science education.
• Entry Routes: The program welcomes both students holding a B.S. degree for direct admission and those with an M.S. degree.
• Dissertation's Role: It stands as the pivotal component of the Ph.D. journey. Collaboration between the student, their dissertation director, and the guiding committee is essential.

Naval Postgraduate School

• Program Essence: The Computer Science Ph.D. is a top-tier academic program in the U.S.
• Admission Criteria: Open to military officers from the U.S. and abroad, U.S. governmental employees, and staff of foreign governments.
• Curriculum: Designed to deepen knowledge in computing, with a focus on the needs of the U.S. Department of Defense.
• Emphasis on Research: The college showcases its strength in research through sections dedicated to Research Areas, affiliated Institutes & Centers, ongoing Research Projects, and specialized Labs & Groups.
• Holistic Student Growth: The college promotes a comprehensive student experience, spotlighting Clubs & Organizations, campus Facilities, and tech Systems.
• Guidance for Future Students: Provides tailored insights for students considering joining at various academic levels, from Undergraduate to PhD.
• Broad Learning: The program covers many areas, from software and policy to psychology and ethics, reflecting the wide scope of cybersecurity.
• Course Design: Students learn foundational security topics first and then dive into specialized areas, like cyber forensics.
• Successful Alumni: Past students now work in places like NASA, Amazon, and Google.
• Feature: Students can apply to up to three different campuses and/or majors using a single application and fee payment.
• Preparing for a Globalized World: Courses such as Global Supply Chain Management equip students for international careers.
• Tech-Forward Curriculum: Purdue's commitment to advanced technology is evident.

Rochester Institute of Technology

• Cyberinfrastructure Focus: The program dives deep into how hardware, data, and networks work together to create secure and efficient digital tools.
• Broad Applications: The program uses computing to solve problems in fields like science, arts, and business.
• Success Rate: All RIT graduates from this program have found relevant roles, especially in the Internet and Software sectors.

Sam Houston State University

• Program's Objective: The course aims to nurture students to be technically adept and also to take on leadership roles in the digital and cyber forensic domain across various industries.
• Assessments: Students undergo comprehensive tests to evaluate their understanding.
• Research Paper (Dissertation): Once students reach the doctoral candidacy phase, they must produce and defend a significant research paper or dissertation.
• Funding: All Ph.D. students get financial help, so they can start their research right away.
• Teachers: The program has top experts, including those who've made big discoveries in computer science.
• Research Areas: Students can study the latest topics like AI, computer vision, and online security.

The University of Tennessee

• Study Areas: Options include Cybersecurity, Data Analytics, Computer Vision, and more.
• Tests: You'll have to pass a few exams, including one when you start, one before your final project, and then present your final project.
• Courses: Some specific courses are needed, and your main professor will help decide which ones.
• Big Exam: Before moving forward, you'll take a detailed exam about your research topic.
• Final Step: You'll present and defend your research project to experts.
• Overview: This program is for those with a degree in Computer Science or similar fields. It has special focus areas like Cybersecurity and Machine Learning.

University of Arizona

• Study Plan: Students start with learning research basics and then dive into modern tech topics.
• Support for Students: All PhD students get funding that covers their studies, a stipend, and health insurance. Money for travel to conferences is also available.
• After Graduation: Alumni work at top universities and big companies like Google and Microsoft.

University of California-Davis

• About the Program: Students engage in deep research, ending with a dissertation.
• Jobs After Graduation: Roles in companies or academic positions.
• Vibrant Community: Beyond academics, students join a supportive community, enriching their Ph.D. experience.

University of Colorado - Colorado Springs

• Recognition: UCCS is recognized by the National Security Agency (NSA) and the Department of Homeland Security for excellence in Information Assurance Education.
• Course Approval: The NSA has approved UCCS's courses as meeting national security training standards.
• Overview: This program focuses on vital areas like cyber security, physical security, and homeland security.

University of Idaho

• Partnership with NSA and DHS: The university is part of a program to boost cyber defense education.
• Recognition: The University of Idaho is among the institutions recognized as Centers of Academic Excellence in Cyber Defense.
• Objective: To minimize vulnerabilities in the national information infrastructure.
• Overview: This program is meticulously crafted to deliver premier legal education to its students.
• Courses: Encompasses a balanced mix of traditional legal doctrines, theoretical viewpoints, and hands-on practical experiences.
• Aim: The primary objective is to equip students with top-notch legal education.

University of Missouri-Columbia

• Seminars: PhD students should attend 20 seminars. If they were previously Master's students, their past attendance counts.
• Timeline Requirements: Comprehensive Exam must be completed within five years of starting the program.
• Dissertation and Publication: At least one journal paper must be submitted, accepted, or published.

University of North Carolina at Charlotte

• Faculty: The faculty members are renowned for their impactful research contributions on a global scale.
• Curriculum: The curriculum is versatile, catering to individuals aiming for academia as well as those targeting roles in the corporate, commerce, or public sectors.
• Program: A blend of theoretical and hands-on research is emphasized, offering a well-rounded educational experience.

Virginia Tech

• Seminars and Ethics: Students attend special seminars and complete training on scholarly ethics and diversity.
• Guidance: Each student gets a faculty advisor. A group of faculty members, called a committee, also guides them.
• Major Exams: Students go through four main stages: a qualifying process, a preliminary proposal, a research presentation, and a final defense.
• Strong Research: WPI's PhD program is recognized for its excellent research contributions.
• Practical Focus: The program teaches students to tackle real tech challenges.
• Modern Labs: Students use the latest labs like the Human-Robot Interaction Lab.

Dakota State University

• Program Goal: Train students to handle and prevent cyber threats.
• Awards: The university has received top cybersecurity awards.
• What You'll Learn: Research skills, cyber defense techniques, and ethical decision-making.

New Jersey City University, College of Professional Studies

• About: Focuses on best practices in areas like national security, cyber defense, and crisis communication.
• Recognitions: The program has been honored by the National Security Agency since 2009 and was recognized for excellence in intelligence studies.
• Jobs: Graduates are prepared for top roles in sectors like government and education.
• Program Content: The course dives deep into modern cybersecurity topics, from new tech and artificial intelligence to specialized research areas.
• Location Benefits: The university is near many cybersecurity companies and government agencies, giving students unique opportunities.
• For Working People: It's crafted for professionals, allowing them to experience various cybersecurity roles, from tech firms to government.
• Completion Time: Students have up to ten years from starting to finish their dissertation.
• Program: Trains students for roles in academia, government, and business.
• Multidisciplinary Approach: The program combines both technical and managerial aspects of cybersecurity, offering a comprehensive understanding of the field.

The University of Rhode Island

• Research Focus: The Ph.D. program is centered around a big research project in Computer Science.
• Qualifying Exams: Students take exams on core topics, but some might get exemptions if they're already skilled in certain areas.
• Equal Opportunity: The University of Rhode Island is committed to the principles of affirmative action and is an equal opportunity employer.

University of North Texas

• Team Effort: The program is a collaboration between various UNT departments for a well-rounded view of cybersecurity.
• Goals: The course aims to develop critical thinkers who are passionate about the role of information in our lives and can work across different fields.
• Skills Gained: Students will learn about research, teaching methods, decision-making, leadership, and analyzing data.

New York University Tandon School of Engineering

• Scholarships: Many students get scholarships that pay for tuition and give a monthly allowance.
• Research Interest: Research areas include cybersecurity, computer games, web search, graphics, and more.
• Experience: Students can also research in NYU's campuses in Shanghai or Abu Dhabi.
• One Degree for All: Every student gets the same Ph.D., regardless of their specific area of study.
• Research Focus: The program emphasizes deep research and prepares students for advanced roles.
• Major Project: Students work on a big research project, adding new knowledge to the computing world.
• Program: Prepares students for leadership roles in different sectors.
• Opportunities: Qualified students might get opportunities as Research or Teaching Assistants.
• Overview: Focuses on advanced research and modern technologies.

Augusta University

• Goal: The program prepares students for research roles and to make new discoveries in tech.
• Benefits: A Ph.D. opens up leadership opportunities in tech sectors.
• Overview: It focuses on new discoveries in areas like security, artificial intelligence, and virtual reality.

University of Texas at San Antonio

• Financial Support: Full-time students can get funding, which covers tuition and offers roles like teaching assistants.
• Job Prospects: UTSA trains students for jobs that are in high demand, using data from official sources.
• Overview: The program focuses on in-depth research and teaching.

University of Central Florida

• Mix of Subjects: Students can take courses from different areas, giving them a broad view of security topics.
• Many Job Options: Graduates can work in government, big companies, or teach in universities.
• Hands-on Learning: The program offers research, study projects, and internships for real-world experience.

• Schools & departments

Cyber Security, Privacy and Trust PhD

Awards: PhD

Study modes: Full-time

Funding opportunities

Placements/internships

Programme website: Cyber Security, Privacy and Trust

Introduction to Postgraduate Study

Join us for this online session on 26 June to learn more about postgraduate study at Edinburgh

Find out more and register

Research profile

The increasing reliance of systems and services on information technology in the public, private and third sector has significantly raised the impact of cyber attacks in the last two decades.

This PhD programme in Cyber Security, Privacy and Trust is a response to the growing need for highly specialized research and training in these topics. Cyber security and resiliency is a complex problem that requires designing and understanding underlying technologies but also how business processes, cost, usability, trust and the law play a role for effective technology deployment.

The aim of this PhD programme is to provide students with research training in specialised topics of security, privacy and trust, helping produce the next generation of world-leading experts of the field.

Programme structure

The PhD in Cyber Security, Privacy and Trust trains you as a researcher and allows you to develop advanced techniques and in-depth knowledge in a specialist area. You will develop an all-round knowledge of your discipline, and a broad range of transferable skills.

You will carry out independent research, resulting in an original contribution to knowledge in your chosen area, working under the guidance of your supervisors.

The prescribed period of study is 36 months if studying full-time, or between 48 and 72 months if studying part-time.

Year 1 of PhD studies is probationary. Your supervisor will identify your training needs, if any, and invite you to attend lectures relevant to your research topic. These lectures may be selected from those offered to MSc students or may be specialist courses and seminars organised by the School's various research groupings.

Towards the end of Year 1, you will be expected to submit a thesis proposal which identifies a specific research topic, reviews the relevant literature, outlines a plan of research to address the topic, and describes progress made so far.

Progress during your PhD is assessed by annual reviews, which formally determine whether you can progress with your PhD. You will be required to complete and pass a PhD annual review at the end of each year of study and thesis is expected to be submitted at the end of Year 3. Following thesis submission, you will be required to attend an oral examination (or viva) which will be conducted by an external and internal examiner.

Work placements/internships

Many postgraduate research students in the School of Informatics undertake at least one optional internship during their PhD, gaining important transferable skills whilst working with companies, public or third sector organisations.

The School of Informatics maintains a range of connections to potential employers in the cyber security and other sectors. Work placements or internships are considered a valuable aspect of research training as they expose students to an applied research culture, and can provide valuable contacts for future job searches.

Training and support

As a research student in the School of Informatics, you will have access to a highly respected academic staff community, including staff who have won prizes for their research and who are Fellows of learned societies.

The University of Edinburgh has been recognised as a UK Academic Centre of Excellence in Cyber Security Research. This is based on the amount and quality of its research output, as well as its level of PhD training.

Within the School of Informatics, the Security, Privacy and Trust Group includes academic staff who lead research in a range of technical and socio-technical areas of cyber security. Staff also supervise PhD students on this programme.

• Security, Privacy and Trust Group

You will carry out your research under the guidance of a primary supervisor and at least one other secondary or co-supervisor. You will be expected to attend seminars and meetings of relevant research groups and may also attend lectures that are relevant to your research topic. Periodic reviews of your progress will be conducted to assist with research planning.

A programme of transferable skills courses will be offered, which facilitates broader professional development in a wide range of topics, from writing and presentation skills to entrepreneurship and career strategies.

The award-winning Informatics Forum is an international research facility for computing and related areas. It houses more than 400 research staff and students, providing office, meeting and social spaces.

The Forum also contains several robotics labs, an instrumented multimedia room, eye-tracking and motion capture systems, and a full recording studio amongst other research facilities. Its spectacular atrium plays host to many events, from industry showcases and student hackathons to major research conferences.

Nearby teaching facilities include computer and teaching labs with more than 250 machines, 24-hour access to IT facilities for students, and comprehensive support provided by dedicated computing staff.

There are further specific facilities to support aspects of cyber security research, including an Internet of Things Lab and a Network Security Lab. The Blockchain Technology Lab is a research lab supporting investigations into distributed ledger technology.

Among our wider entrepreneurial initiatives is Informatics Ventures, set up to support globally ambitious software companies in Scotland and nurture a technology cluster to rival Boston, Pittsburgh, Kyoto and Silicon Valley.

Career opportunities

There is high demand for security and privacy experts in industry, academia, and the public sector. Commercially, there is also a large variety of opportunities in both small and large companies.

Previous PhD graduates associated with the Security and Privacy Group have gone on to employment in industry with companies including:

• ION Geophysical
• Disney Research
• Deutsche Bank.

Students have also gone on to be employed within academia, at institutions, to name a few, including:

• University of Oxford
• University of Bristol
• University of Oldenburg
• University of Auckland
• University of Birmingham
• University of Surrey
• University of Munich
• Cambridge University
• Queen’s University Belfast
• Tsinghua University
• Lancaster University

Entry requirements

These entry requirements are for the 2024/25 academic year and requirements for future academic years may differ. Entry requirements for the 2025/26 academic year will be published on 1 Oct 2024.

A UK 2:1 honours degree, or its international equivalent, in computer science, mathematics, linguistics, or a related discipline. A Masters degree or equivalent, in information security, cyber security or a closely related discipline is recommended.

International qualifications

Check whether your international qualifications meet our general entry requirements:

• Entry requirements by country
• English language requirements

Regardless of your nationality or country of residence, you must demonstrate a level of English language competency at a level that will enable you to succeed in your studies.

English language tests

We accept the following English language qualifications at the grades specified:

• IELTS Academic: total 7.0 with at least 6.0 in each component. We do not accept IELTS One Skill Retake to meet our English language requirements.
• TOEFL-iBT (including Home Edition): total 100 with at least 20 in each component. We do not accept TOEFL MyBest Score to meet our English language requirements.
• C1 Advanced ( CAE ) / C2 Proficiency ( CPE ): total 185 with at least 169 in each component.
• Trinity ISE : ISE III with passes in all four components.
• PTE Academic: total 70 with at least 59 in each component.

Your English language qualification must be no more than three and a half years old from the start date of the programme you are applying to study, unless you are using IELTS , TOEFL, Trinity ISE or PTE , in which case it must be no more than two years old.

Degrees taught and assessed in English

We also accept an undergraduate or postgraduate degree that has been taught and assessed in English in a majority English speaking country, as defined by UK Visas and Immigration:

• UKVI list of majority English speaking countries

We also accept a degree that has been taught and assessed in English from a university on our list of approved universities in non-majority English speaking countries (non-MESC).

• Approved universities in non-MESC

If you are not a national of a majority English speaking country, then your degree must be no more than five years old* at the beginning of your programme of study. (*Revised 05 March 2024 to extend degree validity to five years.)

Find out more about our language requirements:

• Academic Technology Approval Scheme

If you are not an EU , EEA or Swiss national, you may need an Academic Technology Approval Scheme clearance certificate in order to study this programme.

Fees and costs

Scholarships and funding, featured funding.

• Security, Privacy and Trust Group PhD topics (some with scholarships)
• School of Informatics scholarships for research students
• Research scholarships for international students

Please note that some University and School scholarships require separate applications via the Scholarships portal.

UK government postgraduate loans

If you live in the UK, you may be able to apply for a postgraduate loan from one of the UK’s governments.

The type and amount of financial support you are eligible for will depend on:

• your programme
• the duration of your studies
• your tuition fee status

Programmes studied on a part-time intermittent basis are not eligible.

• UK government and other external funding

Search for scholarships and funding opportunities:

• Search for funding

Further information

• IGS Admissions Administrator
• Phone: +44 (0)131 650 3091
• Contact: [email protected]
• School of Informatics Graduate School
• Office 3.42
• Informatics Forum
• Central Campus
• Programme: Cyber Security, Privacy and Trust
• School: Informatics
• College: Science & Engineering

Select your programme and preferred start date to begin your application.

PhD Cyber Security, Privacy and Trust - 3 Years (Full-time)

Application deadlines.

Applications for 2024/25 entry are now open and can be submitted all year round.

Please submit your completed application at least three months prior to desired entry date.

If you want to be considered for School funded PhD scholarships you must apply by one of two rounds:

(Revised 25 October 2023 to update application deadlines)

(Revised 15 February 2024 to extend the round 2 application deadline)

• How to apply

You must submit two references with your application.

You must submit an application via the EUCLID application portal and provide the required information and documentation. This will include submission of:

• a Curriculum Vitae (CV)
• research proposal (2-5 pages long)
• degree certificates and official transcripts of all completed and in-progress degrees (plus certified translations if academic documents are not issued in English)
• two academic references

Only complete applications will progress forward to the academic selection stage.

Read through detailed guidance on how to apply for a PGR programme in the School of Informatics:

• School of Informatics PGR Application Guidance

Find out more about the general application process for postgraduate programmes:

Machine Learning Security

Short phd seminar on machine learning security (adversarial machine learning).

A short course on adversarial machine learning.

Academic Year 2022-2023

Instructor: Dr. Ambra Demontis

Modality: Online

PhD programme in Electronic and Computer Engineering (Univ. Cagliari)

GitHub repository for course material: https://github.com/unica-mlsec/mlsec-phd

Course objectives and outcome

The objective of this course is to provide students with the fundamental elements of machine learning security in the context of different application domains. The main concepts and methods of adversarial machine learning are presented, from threat modeling to attacks and defenses, as well as basic methods to properly evaluate adversarial robustness of a machine learning model against different attacks.

An understanding of fundamental concepts and methods of machine learning security and its applications. An ability to analyse and evaluate attacks and defenses in the context of application-specific domains. An ability to design and evaluate robust machine learning models with Python and test them on benchmark data sets.

Class schedule/Course Outline (20 hours, 2 CFU)

• Introduction to Machine Learning Security: Threat Models and Attacks (3h)
• Evasion attacks and countermeasures (8h)
• Poisoning attacks and countermeasures (6h)
• Backdoor poisoning, privacy-related threats, and defenses (3h)

Ghada Almashaqbeh Assistant Professor of Computer Science University of Connecticut

Contact: Email: ghada at uconn.edu

I am an assistant professor in the School of Computing at UConn. I am also an affiliated member at the Connecticut Advanced Computing Center (CACC) and the Engineering for Human Rights Initiative. Before joining UConn, I spent a while exploring the entrepreneurship world. I cofounded CacheCash, a startup that came out of my PhD thesis! and I was a Cryptographer at NuCypher. Now, I am a scientific advisor at Sunscreen Tech and The Melon, a 2023 Foresight Institute fellow, and a 2023/2024 TLDR fellow at Uniswap Foundation.

I received my PhD in Computer Science from Columbia University in 2019, where I was a member of the Cryptography Lab and the Data Science Institute. During the PhD, I was fortunate to have Allison Bishop and Tal Malkin as my advisors.

My research interests cover cryptography, computer systems security, and privacy, with a focus on blockchain-based systems and distributed cryptographic protocols. My research is supported by NSF , Protocol Labs , Uniswap Foundation , and UConn Research Excellence Award .

Recruiting: I am always looking for self-motivated and talented Postdocs and PhD students to join my group. If you are interested in working on timely and real-world problems in the fields of cryptography, privacy, and systems security, feel free to contact me!

Security and Crime Science MPhil/PhD

London, Bloomsbury

UCL Security and Crime Science is widely recognised for the impact of its research on real-world crime problems. The Department has long-standing links with police forces, policy makers, academic research centres of excellence and security organisations in the UK and internationally.

A PhD with us allows you to pursue original research and make a distinct and significant contribution to your field.

UK tuition fees (2024/25)

Overseas tuition fees (2024/25), programme starts, applications accepted.

• Entry requirements

Evidence of graduate research experience, for example a Master's degree, and a minimum of an upper second-class UK Bachelor's degree, or an overseas qualification of an equivalent standard. Applicants must also consider whether the Department of Security and Crime Science has the relevant expertise available to offer sufficient supervision in their chosen area of research. You will be expected to identify two UCL academics to supervise your research before applying. Ideally you will have contacted them before applying to ensure they are able to support your application. Following consideration of applications at the department's Graduate Research Committee, students may be requested to attend an interview with prospective supervisors (either in person or by telephone).

The English language level for this programme is: Level 3

UCL Pre-Master's and Pre-sessional English courses are for international students who are aiming to study for a postgraduate degree at UCL. The courses will develop your academic English and academic skills required to succeed at postgraduate level.

Further information can be found on our English language requirements page.

Equivalent qualifications

Country-specific information, including details of when UCL representatives are visiting your part of the world, can be obtained from the International Students website .

International applicants can find out the equivalent qualification for their country by selecting from the list below. Please note that the equivalency will correspond to the broad UK degree classification stated on this page (e.g. upper second-class). Where a specific overall percentage is required in the UK qualification, the international equivalency will be higher than that stated below. Please contact Graduate Admissions should you require further advice.

About this degree

The Department of Security and Crime Science is organised into five centres of excellence:

• Geographical analysis
• The "Designing Out Crime" group
• The crime policy and evaluation group
• Terrorism and organised crime
• Forensic science

Staff and students work across these groups, across UCL and in the wider research community, which includes active international collaborations.

Who this course is for

Security and Crime Science is a multi-disciplinary subject, drawing on expertise in psychology, social science, statistics, mathematics, architecture, forensic sciences, design, geography and computing. This is reflected in our students, who come from a variety of backgrounds. This makes the department an interesting and stimulating environment in which to study.

We seek graduates from all disciplines who want to solve real-world security and crime problems.

What this course will give you

UCL Security and Crime Science is devoted specifically to reducing crime through teaching, research, public policy analysis and by the dissemination of evidence-based information on crime reduction. Our mission is to change crime policy and practice.

At UCL Security and Crime Science, we are committed to the quality and relevance of the research supervision we offer. As an MPhil/PhD student, you will work with academics at the cutting edge of scholarship. You will also be an integral part of our thriving and collaborative research community, in the department and more widely at UCL.

The foundation of your career

This PhD programme is a well-established programme that draws in students from around the world who have gone on to exciting careers in security and crime sectors.

Graduates from our research programmes go on to research careers and to take up lecturing posts in academic institutions. Others have taken up policy-related positions in the public and private security sectors.

Employability

This is the first Phd programme of its kind to combine a multidisciplinary crime or security doctoral degree with a programme of taught modules (focusing on the application of scientific method to crime reduction) and professional skills training. 

Our aim is to produce a new generation of crime and security practitioners with the skills to tackle modern and evolving crime threats. With over 60 partners in industry and the public sector and some of the world's leading academics at UCL working in these areas, we provide excellent supervision and career prospects.

We have long-established links with police forces, policy makers at all levels, academic research centres of excellence and security organisations in both the UK and internationally

The department attracts leading figures in the field to our extensive programme of events which inform debates around crime prevention. Regular events include the Women in Security showcase, annual International Crime Science conference, regular seminars and outside speakers.

These events provide a platform for students to connect with crime science practitioners and researchers across academia, government, and industry, offering a chance to learn from their expertise and establish valuable contacts.

Collaborative working at UCL is also an important aspect of our multidisciplinary research programme.The MPhil/PhD in Security and Crime Science gives students the opportunity to mix with peers from backgrounds including architecture, computer science, statistics, electronic engineering, chemistry, forensic sciences, psychology, philosophy, ethics and laws.

Teaching and learning

The initial registration on the programme will be on an MPhil basis. In order to progress to the PhD, students are required to pass an ‘upgrade’. The purpose of the upgrade is to assess your progress and ability to complete your PhD programme to a good standard and in a reasonable time frame.

The Doctor of Philosophy (PhD) consists of a piece of supervised research, normally undertaken over a period of three years of full-time or five years of part-time study. Assessment is by means of a thesis, which should demonstrate your capacity to pursue original research based upon a good understanding of the research techniques and concepts appropriate to the discipline.

You should meet frequently with your supervisors and engage with the departmental and UCL communities more widely through events, training, and networking opportunities.

The PhD is examined by a viva committee comprising two experts in the field, an external examiner, and an internal examiner. Your supervisor nominates suitable examiners during your final year, in consultation with you, and the nominations are scrutinised by UCL’s examinations office who may approve or reject them. You should not have had prior contact with either examiner. The viva usually takes two to three hours.

As a full-time student you are expected to devote at least 35 hours per week to your studies for the full duration of your programme. If you are studying part-time, you should expect to spend at least 17.5 hours per week.

As a research student, your principal supervisor will establish a timetable of regular meetings where all matters relating to your work can be discussed.

These meetings should take place at least once per month. Subsidiary supervisors should stay acquainted with the progress of your work and be present at annual supervisory meetings, as a minimum.

Research areas and structure

The department has five main research groups:

• Counter-terrorism: situational prevention of terrorism; technology for counter-terrorism; transferable training between crime and terrorism
• Crime mapping: innovation in crime mapping methods; prospective crime mapping
• Crime policy analysis and evaluation: evaluation of crime prevention schemes; knowledge transfer
• Designing out crime: role of design in crime prevention; environmental design; crime risk and administrative procedure design
• Forensic sciences: forensic science reconstruction; interpretation of evidence; trace evidence dynamics (including DNA, residues/particulates, environmental evidence etc.).

UCL Security and Crime Science hosts the UCL Security Science Doctoral Research Training Centre (UCL SECReT), an international centre for PhD training in security and crime science.

We offer an integrated PhD programme for students wishing to pursue multi-disciplinary security or crime-related research degrees. We expect their research to be interdisciplinary and to involve some 'hard science' element. Our research is underpinned by a methodology combining science and engineering expertise with expertise from wider disciplines including the social sciences. We see four research 'domains' which can interact:

• Science and technology innovation: to create the next generation of security technologies
• People factors: understanding and incorporating human factors (via behavioural science, decision-making techniques, etc.) into the development of security solutions
• Process factors: enhancing security processes by increasing our understanding of the operational processes of activities, organisations or infrastructures under threat
• Policy: contributing to the development of government policy through research findings.

Research environment

Our department has a distinctly interdisciplinary outlook on the prevention of crime, terrorism and organised crime. We have long-established links with police forces, policy makers, academic research centres of excellence, and security organisations in the UK and internationally. 

The department has a successful track record of working closely with practitioners and is widely recognised for its knowledge transfer and exchange activities, as well as the impact of its research on real world crime problems.  

In the 2021 Research Excellence Framework (REF) exercise, the department’s research environment was deemed to be 87.5% ‘world-leading' and 12.5% ‘internationally excellent’, placing it 6th in this area of REF assessment.

As a Security and Crime Science MPhil/PhD student, you will have the opportunity to learn from, and contribute to, this thriving research culture.

The length of registration for ourresearch degree programmes is three years for full-time study and five years for part-time study.

You are required to register initially for the MPhil degree with the expectation of transfer to PhD after successful completion of an upgrade viva 9-18 months after initial registration.

Upon successful completion of your approved period of registration, you may start a writing period called Completing Research Status (CRS), within which you write up your thesis.

To successfully upgrade to a PhD, you are required to submit a piece of writing demonstrating sufficient theoretical, conceptual, and methodological development as well as a clearly articulated plan to finish the thesis.

You are also required to present and answer questions about this work to a panel consisting of your subsidiary supervisor and another member of the faculty who acts as an independent assessor.

You are required to register initially for the MPhil degree with the expectation of transfer to PhD after successful completion of an upgrade viva 24 months after initial registration.

Accessibility

Details of the accessibility of UCL buildings can be obtained from AccessAble accessable.co.uk . Further information can also be obtained from the UCL Student Support and Wellbeing team .

Online - Open day

Security and Crime Science PhD Open Evening

Join our open event series to learn more about our PhD programme, future career opportunities and what it's like to be part of our fantastic community. There are also questions for our academics, admission tutors and current students.

Fees and funding

Fees for this course.

The tuition fees shown are for the year indicated above. Fees for subsequent years may increase or otherwise vary. Where the programme is offered on a flexible/modular basis, fees are charged pro-rata to the appropriate full-time Master's fee taken in an academic session. Further information on fee status, fee increases and the fee schedule can be viewed on the UCL Students website: ucl.ac.uk/students/fees .

Additional costs

There are no additional costs associated with this programme.

For more information on additional costs for prospective students please go to our estimated cost of essential expenditure at Accommodation and living costs .

Funding your studies

For a comprehensive list of the funding opportunities available at UCL, including funding relevant to your nationality, please visit the Scholarships and Funding website .

CSC-UCL Joint Research Scholarship

Value: Fees, maintenance and travel (Duration of programme) Criteria Based on academic merit Eligibility: EU, Overseas

If you meet the entry requirements, you will need to identify at least two UCL academics with the expertise needed to assess your technical skills and act as your supervisors. To support with this, we suggest you check our departmental website to identify the interests and areas of expertise of current academics.

Before applying, please ensure you focus on a research proposal of approximately 3000 words which introduces the research questions and hypotheses you would like to investigate, and the research methods you would like to apply in your work. Clearly indicate how the required data will be obtained, and what resources you need for your project. You can find guidance on writing a research proposal online.

Deadlines and start dates are usually dictated by funding arrangements, so please check with the department or academic unit before applying to see if you need to consider these. In most cases, you should identify and contact potential supervisors before making your application.

For more information see our How to apply page and ensure you visit our website.

Please note that you may submit applications for a maximum of two graduate programmes (or one application for the Law LLM) in any application cycle.

Choose your programme

Please read the Application Guidance before proceeding with your application.

Year of entry: 2024-2025

Got questions get in touch.

Security and Crime Science

[email protected]

UCL is regulated by the Office for Students .

Prospective Students Graduate

• Graduate degrees
• Taught degrees
• Taught Degrees
• Applying for Graduate Taught Study at UCL
• Research degrees
• Research Degrees
• Funded Research Opportunities
• Doctoral School
• Funded Doctoral Training Programmes
• Applying for Graduate Research Study at UCL
• Teacher training
• Teacher Training
• Early Years PGCE programmes
• Primary PGCE programmes
• Secondary PGCE programmes
• Further Education PGCE programme
• How to apply
• The IOE approach
• Teacher training in the heart of London
• Why choose UCL?
• Entrepreneurship
• Inspiring facilities and resources
• Careers and employability
• Your global alumni community
• Your wellbeing
• Postgraduate Students' Association
• Your life in London
• Accommodation
• Funding your Master's

Advice for Prospective Research Students

Like most professors, I get several hundred emails a year from prospective students interested in coming to our university for graduate school and joining my research group. I try to reply to all messages that are not obviously spam, but find most messages I receive make me less likely to want to accept the students sending them.

This page provides some advice for prospective grad school applicants considering emailing me, but most of it probably applies to any other professor you want to contact also.

Who To Contact

Its a really bad idea to send spam emails to long lists of professors. These emails will never help you, and some professors will maintain blacklists of applicants who do this to make sure their application is rejected without consideration.

Your goal in sending email is not to contact as many professors as you can, but to identify a few professors who you might want as your research advisor and then to find which of those seem most promising as advisors and convince them that you would be a worthwhile student.

You should only contact professors with whom you have a genuine interest in working based on knowing something about them and what they do. You can find out about professors’ research by looking at their web pages (professors who don’t have web pages about their research are either not interested in recruiting students, not doing any research, or so famous they probably have someone to filter their email for them).

Do Your Homework

Before contacting a potential advisor, do your homework: read the advisor’s home page (mine is www.cs.virginia.edu/evans/ , and our group blog is uvasrg.github.io ) and at least one recent paper ( my papers ).

If doing this doesn’t give you any interesting ideas, this is probably not someone with whom you want to do research so you shouldn’t waste time contacting her or him. If it does, send a short introductory email.

First Email

A typical message should go something like this:

Of course, your insight isn’t likely to be so significant as Flipper’s. But, you should make an effort to raise an interesting question about the work described in the paper, to suggest extensions or applications of the work, or to relate it directly to something you have done.

It is definitely worth taking time to write clearly and consisely using correct spelling and grammar. As with all emails, the message should be broken into short paragraphs, the sentences should be simple and straightforward.

What Not To Do

Never do any of these:

• Be aware that most email is filtered out by spam filters these days and never reaches the intended recipient. If you are a non-native English speaker sending email to someone at an English-speaking instutition, make sure your "From:" address appears using the English alphabet. Using characters that are not standard English in your email increases the risk that it will be filtered out as spam. I do realize it is very unfair for us to expect you to change your name for our convenience and cultural ignorance! But, once you get admitted you can and should tell people what you want them to call you. (Note that for your formal application it may be necessary to use a Westernized version of your name to comply with the application form, so if you use another name in your email communications with faculty, it is important to also provide the name you use in your application so they can identify the corresponding application. This is a good opportunity to refresh the relationship after you send in your application by informing your contact to the formal name used in your application.)
• Don't use any fancy formatting in your email (including your message signature).

Since most professors get lots of email, there is some chance that even if you do everything right, your message will get lost in my inbox and you won’t get a reply. If you don’t get a reply after about a week, send a follow up email that politely asks if the message was received and includes the previous message. If you still don’t get a response, that’s a pretty good sign that the potential professor you are contacting either has an overly-agressive spam filter, or is not someone you want as your advisor.

Getting into a good PhD program is extremely competitive and professors are strongly motivated to identify and attract the best possible research students to their group. At any department you would want to go to (including UVA ), the acceptance rate is usually in the single digit percentages. At the most competitive departments, only a few slots every year are awarded to students without recommendation letters from people the faculty know well.

It takes work to find the right PhD program and advisor, but contacting potential advisors directly is your best way to find a research group that matches your interests and goals well and possibly to improve your chances of being admitted.

Once you’ve read and followed these directions, please feel free to contact me about coming to UVA to do a PhD in Computer Science. Your goal is to start an interesting email conversation about research ideas.

If you find that my research does not fit well with your interests, feel free to post comments below for general advice.

To succeed in your PhD, you may want to read My Advice Collection on other topics .

After you finish your PhD, you may be interested in How to Live in Paradise !

Application security orchestration with GitHub Advanced Security

Learn how teams can leverage the power of GitHub Advanced Security’s code scanning and GitHub Actions to integrate the right security testing tools at the right time.

August 8, 2023: We’ve added a section with two example tools for fuzz testing.

With the interconnectedness of modern software and the different types of code, you’ll often need to use numerous application security tools, each purpose-built to detect a specific kind of risk from a specific portion of your software. When integrating multiple tools into your workflow, you may find yourself trading off productivity–and collaboration–for security. That’s because different tooling, with different user experiences, can create context switching and inconsistency across how you test.

At GitHub, we don’t believe in sacrificing your experience, productivity, or collaboration for security. GitHub Advanced Security (GHAS) embeds security testing into your familiar workflow, helping you to prevent and fix vulnerabilities and secret leaks. With GHAS, you can also seamlessly integrate open source and third-party testing tools in the same workflow as the native GitHub security solutions. This means that on every pull request, you can automate security testing and cohesively display results in the same format that GitHub results are delivered in, creating continuity in your developer experience.

Cresta makes security scalable by automating code scanning using GitHub Actions. About eighty percent of developers are fixing code on the pull request. You can’t get much more impactful than that.

To help you secure your code, most GHAS security features are free on all public repositories and are offered as an add-on to protect your private repositories. Meaning you can use GHAS to analyze your code for leaked credentials with secret scanning , identify known insecure coding patterns with CodeQL , and find vulnerabilities in your supply chain using Dependabot and Dependency review– all while having visibility into findings with security overview . To extend or complement these GitHub-native capabilities, you can choose from more than 60 integrations to open source or third-party application security tools spanning SAST, Mobile, SCA, DAST, API, or container scanning out of the box. This empowers you to choose the best tool for you and your software without sacrificing a robust security orchestration experience.

Selecting tools to build your AppSec program

Your AppSec program will consist of a variety of tools, each purpose-built for a specific type of risk. The combination of tools you’ll need will depend on your unique code. No matter which tool you select, once you’ve automated your security testing with GitHub Actions, every pull request will be tested automatically. If a security finding is detected, it will be surfaced to you directly in the pull request, giving you the same user experience as GitHub’s built-in security solutions. To help you get started selecting what tool is right for your team we’ve mapped out common testing types and why you may use them.

Note: all third-party tools in this section are provided as an example, not as a formal recommendation from GitHub; please research any tool based on your unique needs before selecting that as your tool of choice.

To ensure the code your writing is secure, GitHub has a native SAST tool, CodeQL. CodeQL is a semantic code analysis engine that powers GitHub code scanning and allows you to prevent and fix security vulnerabilities in your source code. CodeQL will identify the OWASP top-10, hardcoded credentials, and other types of insecure coding patterns.

If you use languages, like Rust or Elixir, that are not currently supported by CodeQL or want to extend the depth of your mobile testing. You can extend your coverage with open source or third-party tooling, such as Sobelow or NowSecure via a GitHub code scanning with Github Actions. The integration experience provided by GitHub code scanning and actions means you can rapidly adopt new languages and frameworks ahead of support within our native tools while maintaining your security posture and providing a consistent experience for developers and security teams in the pull request.

To ensure you haven’t accidentally exposed a credential in your code, issue, or comments, Github has a native secret detection tool. GitHub’s secret scanning helps you identify leaked credentials in your code and helps you prevent new secrets from being introduced. Secret scanning identifies API tokens from more than 100 major cloud service providers and developer tools . With secret scanning’s push protection capabilities you can proactively prevent tokens from entering your repository. You can also provide custom regular expressions , which helps to identify personally identifiable information, SSH keys, payments information , or internal API tokens that are not detected by default.

To keep your software supply chain secure, GitHub has native supply chain security features, Dependabot, and Dependency review. Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. Dependabot secures your supply chain by identifying dependencies and their vulnerabilities, and suggesting ways to fix, patch, or update them. You can configure Dependabot to evaluate the licenses of new dependencies , block new dependencies that have known vulnerabilities, and prioritize vulnerabilities based on whether or not your application makes a call to the vulnerable function.

If you are deploying in containers, the container image will include operating system software included in the docker layers that could come from a public container registry like DockerHub. These container images may have vulnerabilities; tools like Trivy from Aquasec and Grype from Anchore are open source tools you can use to scan a container image for security vulnerabilities. With GitHub code scanning and actions, you can integrate these into the GitHub code scanning workflow, providing a consistent experience for developers and security teams in the pull request.

Depending on your architecture you may want a tool that can evaluate your Kubernetes configuration for vulnerabilities, or that can scan infrastructure as code templates like Terraform or Azure Resource Manager templates. Tools like Kubesec and tfsec can help identify configuration errors within your infrastructure and can be integrated via GitHub code scanning and actions to provide a consistent experience for developers and security teams in the pull request.

Some vulnerabilities can only be found when an application is executed. Once your application is in staging or QA, you can use a DAST solution to get an outside-in view of your application. It attempts to safely exploit thousands of attack vectors to find vulnerabilities within your web assets. Tools like StackHawk and OWASP Zap perform dynamic application testing and report their results back to developers using the GitHub code scanning API.

Note: dynamic application testing results do not always fit neatly within the SARIF format; for example, dynamic alerts do not have line numbers or file names associated with the findings. For now, DAST alerts will return with deep links to the DAST provider’s platform which can display DAST alerts more robustly. While not perfect, this still provides a consistent context and alert surfacing.

Similar to DAST, once your application is deployable, you may want to conduct API security testing. You can integrate tools via GitHub code scanning and actions (like 42Crunch ) to analyze APIs within the application statically and dynamically, or a DAST solution that has the ability to find and test APIs, like StackHawk and OWASP Zap.

Fuzzing is a runtime testing technique that involves sending invalid, unexpected, or random data to a program in order to test its behavior and identify vulnerabilities. It is typically used to find bugs that cause crashes or other abnormal behavior. Some of the techniques used in fuzzing include mutation-based generation and directed generation. Both of these techniques can help identify vulnerabilities and other issues that may not have been detected through other testing methods. Look to tools like Google’s ClusterFuzzLite and OWASP Zap Fuzzing for strong open source fuzz testing.

Integrating third-party security tools into your GitHub workflow

Once you select the right tools for your organization, you can integrate open source or third-party security tools into your GitHub workflow in just a few clicks with GitHub Actions. To add a new testing type to your development pipeline, navigate to the Security tab, select Code Scanning under the Vulnerability Alerts navigation heading, then click the Add Scanning Tool button. You’ll land on the Choose a workflow screen where you can choose open source and third-party security scanning tools to automate testing directly into your workflow. To help you get started, GitHub offers 2,000 free GitHub Actions minutes and free code scanning for all public repositories.

You can also use a third-party CI tool like Jenkins or TeamCity. Check out this best practices post to learn more . If you don’t find your scanning tool of choice, GitHub code scanning can support any application security testing tool that delivers findings in the JSON SARIF format.

Viewing your security results

Once you’ve automated your security testing with GitHub Actions, every pull request will be tested automatically. If a security finding is detected, it will be surfaced to you directly in the pull request, giving you the same user experience as GitHub’s built-in security solutions. From here, you can take action to remediate, collaborate with your peers with built-in code review, or flag results to your security team.

For security teams, engineering leaders, and developers who work across hundreds–or even thousands–of repositories, security overview provides a centralized view of risk across your applications. With security overview, you can easily see what repositories are currently being tested by which security solutions, the vulnerabilities and risks associated, then take action without leaving the reporting view.

To view the security overview dashboards, select the Security tab from within your organization. From here, you can drill in at the ‘Enterprise,’ ‘Organization,’ or ‘Repository’ level and filter by team, severity, tool, rule, branch, or alert type, or automatically enable testing directly from security overview if a security feature hasn’t been turned on. To specifically see results from open source or third-party security tools, select the Code scanning tab.

• code scanning , 

GitHub Advanced Security

Related posts.

Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting

This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.

Gaining kernel code execution on an MTE-enabled Pixel 8

In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.

Keeping secrets out of public repositories

With push protection now enabled by default, GitHub helps open source developers safeguard their secrets, and their reputations.

Explore more from GitHub

Join github galaxy, work at github, subscribe to our newsletter.

Code with confidence. Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

About GitHub Advanced Security

GitHub makes extra security features available to customers under an Advanced Security license. These features are also enabled for public repositories on GitHub.com.

Who can use this feature?

GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server. Some features of GitHub Advanced Security are also available for public repositories on GitHub.com. For more information, see " GitHub’s plans ." For information about GitHub Advanced Security for Azure DevOps, see Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.

In this article

GitHub has many features that help you improve and maintain the quality of your code. Some of these are included in all plans, such as dependency graph and Dependabot alerts. Other security features require a GitHub Advanced Security (GHAS) license to run on repositories apart from public repositories on GitHub.com.

For information about how you can try GitHub Enterprise with GitHub Advanced Security for free, see " Setting up a trial of GitHub Enterprise Cloud " and " Setting up a trial of GitHub Advanced Security " in the GitHub Enterprise Cloud documentation.

To purchase a GitHub Advanced Security license, you must be using GitHub Enterprise. For information about upgrading to GitHub Enterprise with GitHub Advanced Security, see " GitHub’s plans " and " About billing for GitHub Advanced Security ."

Note: If you want to use GitHub Advanced Security with Azure Repos, see GitHub Advanced Security & Azure DevOps in our resources site. For documentation, see Configure GitHub Advanced Security for Azure DevOps in Microsoft Learn.

About Advanced Security features

A GitHub Advanced Security license provides the following additional features for private repositories:

Code scanning - Search for potential security vulnerabilities and coding errors in your code using CodeQL or a third-party tool. For more information, see " About code scanning " and " About code scanning with CodeQL ."

CodeQL CLI - Run CodeQL processes locally on software projects or to generate code scanning results for upload to GitHub. For more information, see " About the CodeQL CLI ."

Secret scanning - Detect secrets, for example keys and tokens, that have been checked into private repositories. If push protection is enabled, GitHub also detects secrets when they are pushed to your repository. Secret scanning alerts for users and push protection are available and free of charge for all public repositories on GitHub.com. For more information, see " About secret scanning " and " Push protection for repositories and organizations ."

Custom auto-triage rules - Help you manage your Dependabot alerts at scale. With custom auto-triage rules you have control over the alerts you want to ignore, snooze, or trigger a Dependabot security update for. For more information, see " About Dependabot alerts " and " Customizing auto-triage rules to prioritize Dependabot alerts ."

Dependency review - Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see " About dependency review ."

The table below summarizes the availability of GitHub Advanced Security features for public and private repositories.

For information about Advanced Security features that are in development, see " GitHub public roadmap ." For an overview of all security features, see " GitHub security features ."

GitHub Advanced Security features are enabled for all public repositories on GitHub.com. Organizations that use GitHub Enterprise Cloud with Advanced Security can additionally enable these features for private and internal repositories. For more information, see the GitHub Enterprise Cloud documentation .

About GitHub Advanced Security Certification

You can highlight your code security knowledge by earning a GitHub Advanced Security certificate with GitHub Certifications. The certification validates your expertise in vulnerability identification, workflow security, and robust security implementation. For more information, see " About GitHub Certifications ."

Schneier on Security

Using legitimate github urls for malware.

Interesting social-engineering attack vector :

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg .

The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.

As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures. For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser. These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.

Tags: malware , open source , social engineering

Posted on April 22, 2024 at 11:26 AM • 11 Comments

Q • April 22, 2024 12:06 PM

“These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.”

I think the last word there should be “trusted”.

It doesn’t make them more worthy of trust, it just fools people into trusting it.

An • April 22, 2024 1:07 PM

The real highlight is

Instead of generating the URL after a comment is posted, GitHub automatically generates the download link after you add the file to an unsaved comment, as shown below. This allows threat actors to attach their malware to any repository without them knowing. Even if you decide not to post the comment or delete it after it is posted, the files are not deleted from GitHub’s CDN, and the download URLs continue to work forever.

Erdem Memisyazici • April 22, 2024 1:12 PM

Not a huge deal in my opinion. If you are on GitHub you are probably there to look at source code. If it’s not linked by the project chances are it’s not part of the project and should not be trusted. The target audience appears to be what we used to call script-kiddies who seem to be looking for cheating software online.

Who in their right mind would install something from a source code repository that isn’t produced by the source code?

When I was looking for cracks, trainers, and patches I simply went to virus riddled warez sites that had everything you needed but I knew more than half of those had M0sucker or something of the sort bundled in you first had to win-dasm decompile out and recompile before using. Luckily being always-online wasn’t a thing and your anti-virus could also clean some of those .exe(s) automatically for you. If that didn’t work you used oly debugger, found where it was asking for the key (probably latest version of WinRAR) and changed the je bit to a jne, save the exe and enter whatever key to use your “app”.

If the .exe was obfuscated then it was too much of a headache and you just searched forums for a working key next time you went online which mostly someone would always post. There also were dev keys for registration which was something like 0000-0000-0000-0000 you always tried before looking.

My point is besides going to gamecopyworld you were probably going to download a virus alongside your exe patcher. I didn’t think that would change with time because much like Sony rootkitting your computer some people have a monetary interest in getting you or others to pay for stuff you could otherwise get for free.

You always have to assume anything you send to the client side is subject to modification. Unless you are using sanctioned hardware and space by a tournament host and go through full body scans before playing your online game is probably going to be full of cheaters who trained some sort of ML network to play the game so that they can set perfect scores. That’s not as fun as wallhacking used to be (now it’s an in-game feature for most fps) but I’ve seen people do it.

Don’t just install stuff blindly from GitHub without compiling it from source and this is not an issue.

Chris R • April 22, 2024 2:00 PM

I think any malware mitigation that relies on demanding that users “don’t just install stuff” whatever the qualifications you want to put around it is doomed to failure.

The point is, some URLs are trusted more than others, and in fact the web browser UI goes to a fair amount of effort to delegate that trust to the operators of the domain and encourages users to rely on it.

lurker • April 22, 2024 3:13 PM

When did Github start making urls visible in comments for uploaded files before the actual upload? ‘Bout the same time as MS moved in? Just asking …

vas pup • April 22, 2024 5:08 PM

Daniel Dennett: ‘Why civilisation is more fragile than we realized’ https://www.bbc.com/future/article/20240422-philosopher-daniel-dennett-artificial-intelligence-consciousness-counterfeit-people

“While complete facsimiles of the human mind may not be imminent, the way we’re using AI to impersonate human beings has, he told me, already put us on a dangerous trajectory. He called such AIs “counterfeit people”, and told me that rolling out such entities en masse constituted “mischief of the worst sort”: a form of “social vandalism” that should be addressed by law. Why? Because, if convincing digital representations of humans can be created at whim, the entire business of collectively assessing other people’s claims, experiences and actions is put at risk – not to mention essential social infrastructure such as contracts, obligations and consequences.

Hence the need for legal prohibitions, a case he made at length in a May 2023 article for The Atlantic. “It won’t be perfect,” he told me, “but it will help if we can make it against the law to make counterfeit people. We can have stiff penalties for counterfeiting people, same as we do for counterfeit money… we should make it a mark of shame, not pride, when you make your AI more human.”

in principle, there is nothing preventing the algorithms of artificial intelligence from approaching or exceeding our own capacities; or from humans augmenting and re-engineering their minds through artificial means. Indeed, some of Dennett’s most important early work entailed defending computation’s power and potentials against those who, like the philosopher John Searle, claimed that mere calculation could never give rise to phenomena like consciousness. For Dennett, there was nothing “mere” about calculation or algorithmic processes: it was only ever a question of scale and complexity.

In this sense, the achievements of modern AIs – from their linguistic prowess and mastery of games like chess and Go to their ability to pass legal and medical examinations – are an ongoing vindication of Dennett’s insistence that human-level competence can arise from wholly uncomprehending processes (not to mention that, in our case, it did).

It’s dangerous to obsess over whether AI will achieve “general intelligence”, with all the cognitive flexibility of a human being, let alone something greater. Long before anything like this happens, he noted,

we will need to deal with the emergence of “extremely manipulative” autonomous agents – and these will pose a far greater threat than hypothetical super intelligences (“forget about that!”). Why? Because, much as social media has proved an evolutionary hothouse for content able to exploit human vulnerabilities, the same dynamics favor both AI-generated content and AIs able to deploy an enticing combination of persuasion, seduction, shock and flattery.

From flawlessly glamorous artificial influencers to deepfake pornography, from endlessly empathetic companions to romantic scams, human loves and longings are a fertile field for the refinement of manipulation. We may not (yet) be brains in vats. But what we see, believe, belong to and do is increasingly interwoven with countless information systems;

and many of these are more adept at delivering persuasion and plausibility than truth.

AIs are likely to “evolve to get themselves reproduced. And the ones that reproduce the best will be the ones that are the cleverest manipulators of us human interlocutors. The boring ones we will cast aside, and the ones that hold our attention we will spread.

All this will happen without any intention at all. It will be natural selection of software.” In evolutionary terms, our minds aren’t devices fine-tuned for differentiating truth from lies. We are partial, passionate, tribal creatures: social animals linked by bonds of love and loyalty that both define our humanity and make us painfully vulnerable.

“is your thinking to be determined by the truth about what’s out there. You want to be compelled by the good evidence there is out there for how the world is. But you also want to have the elbow room to reconsider, and reconsider, and reconsider further: your prospects, your projects, your goals. You want to be a higher order, intentional system that reflects upon means and ends and goals.”

The “freedom” to act on the basis of manipulatively inaccurate information is no freedom at all. By contrast, actions determined by “the good evidence that is out there” are emancipatory: open to the complexities of actuality rather than snared by untruths.”

Michael Richardson • April 22, 2024 5:19 PM

Seems like yet another microsoft blame the user over our inability to get sudo to operate sanely.

Vesselin Bontchev • April 23, 2024 12:19 AM

GitLab has the same problem.

https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/

Who? • April 23, 2024 12:13 PM

@ Erdem Memisyazici

Not a huge deal in my opinion. If you are on GitHub you are probably there to look at source code. If it’s not linked by the project chances are it’s not part of the project and should not be trusted. The target audience appears to be what we used to call script-kiddies who seem to be looking for cheating software online.

Not exactly, lots of projects on GitHub have a “Files” tab where bootable ISO images can be downloaded, and this one is the way these images are downloaded from the project’s main web page.

Who? • April 23, 2024 12:18 PM

Who in their right mind would install something from a source code repository that isn’t produced by the source code?

This is called “social engineering” and it works. Just publish a link on a forum that looks genuine and people will download from it, not to say in case official files have been available for downloaded directly from GitHub/GitLab for years.

vas pup • April 23, 2024 4:36 PM

https://cyberguy.com/future-tech/how-this-new-invisibility-technology-can-literally-make-you-disappear/

“What would you think if I told you that there is technology available today that could make you vanish? It’s true. Thanks to optical engineering, it’s possible to become invisible to the naked eye. This isn’t just a fantasy—it’s a reality crafted by the UK’s Invisibility Shield Co., which has introduced the impressive Invisibility Shield. This 6-foot-tall shield offers a new dimension to the concept of invisibility.

At the heart of this technology lies a precision-engineered lens array. Picture this: you’re standing behind the shield, and instead of being a conspicuous figure, the light reflecting off you is cleverly redirected.

This array, composed of vertically oriented lenses, scatters the light horizontally, causing your image to dissolve into the backdrop. It’s like a magic trick, where the magician vanishes not with a puff of smoke but with a whisper of light.

The lenses are not just any lenses; they are elongated, convex lenses meticulously embossed onto a polymer sheet. These aren’t your run-of-the-mill magnifying glasses; they are the result of rigorous testing and fine-tuning—shaped to perfection to manipulate light just right.

But what about the backdrop? Ah, that’s where the magic amplifies. The background light, brighter and broader, passes through the shield and gets refracted towards the observer. From their point of view, it’s as if the background itself has stretched out, masking your presence.

But let’s not forget, these shields are not armor. They won’t protect you from harm but will make you virtually invisible. And they’re built to last, with materials that withstand the elements and the test of time.”

https://www.youtube.com/watch?v=gCC5RdA19bA

My nickel: Traffic cop is hiding to get violators? Banking security guy is invisible to potential robbers? Confidential informer, whistleblower you name it testified in court or/and Congress hearings? Some Secret Service protected person is hiding behind?

Leave a comment Cancel reply

Remember personal info?

Fill in the blank: the name of this blog is Schneier on ___________ (required):

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.

Powered by WordPress Hosted by Pressable

Edgar Tomeyan

Ruby on rails developer.

Web developer with abilities to design, implement, deploy, test and debug Ruby on Rails applications.

• Phone: +79773030311
• Email: [email protected]
• GitHub:  github.com/just-ed
• Ruby, Ruby on Rails
• Git, GitHub
• Heroku, VPS
• Russian - Proficiency
• English - Upper-Intermediate
• Armenian - Beginner
• Self-development
• Playing guitar
• Android ROMs

Elections Today

Recent projections, delegate tracker, pennsylvania primaries 2024: live results and analysis, former mit researcher who killed yale graduate student sentenced to 35 years in prison.

A former MIT researcher has been sentenced to 35 years in prison for the killing of a Yale University graduate student in Connecticut

NEW HAVEN, Conn. -- A former researcher at the Massachusetts Institute of Technology was sentenced Tuesday to 35 years in prison for the killing of a Yale University graduate student found shot outside his car on a Connecticut street.

Qinxuan Pan, 33, who pleaded guilty to murder in February, apologized during a hearing in a New Haven courtroom packed with family and friends of the victim, Kevin Jiang.

“I feel sorry for what my actions caused and for everyone affected,” Pan said. “I fully accept my penalties.”

Jiang, 26, a U.S. Army veteran who grew up in Chicago and a graduate student at Yale's School of the Environment, had just left his fiancée's apartment in New Haven on the evening of Feb. 6, 2021, when he was shot multiple times by Pan, according to police and prosecutors. The couple had just gotten engaged days earlier.

Several of Jiang's relatives and friends spoke in court before the judge handed down the sentence, which Pan agreed to as part of his plea bargain.

“My son was a remarkable young man who cherished life and held deep (belief) in God. He had a bright future ahead — one that promised to spread God’s love far and wide,” said Jiang's father, Mingchen Jiang.

A motive for the killing was never made entirely clear. Investigators said they discovered that Pan and Jiang's fiancée were connected on social media and had met while at MIT, where both had graduated from and where Pan was working as a researcher at the time of the shooting.

According to the documents, Jiang’s fiancée told authorities she and Pan “never had a romantic or sexual relationship, they were just friends, but she did get a feeling that he was interested in her during that time.”

After the shooting, Pan fled the scene and eluded police for three months before being apprehended in Alabama, where officials said he was caught living under a fake name with $19,000 in cash, a passport and several cellphones.

Top Stories

Secret Service prepares for if Trump is jailed for contempt in hush money case

• Apr 23, 4:16 PM

Top 3 takeaways from Day 6 of Trump's hush money trial

• 2 hours ago

Plastic bags from Walmart US recycling tracked to facilities in Southeast Asia

• Apr 23, 3:32 PM

Woman charged after allegedly crashing car into birthday party, killing 2 young kids

• Apr 23, 2:03 PM

Celebrity handbag designer sentenced to 18 months in prison for smuggling crocodile handbags

• Apr 22, 11:45 AM

ABC News Live

24/7 coverage of breaking news and live events

Ph.D. candidate presents at Women in CyberSecurity 2024 Conference

Naureen Hoque , a Ph.D. candidate in the Computing and Information Sciences program under the supervision of Assistant Professor Hanif Rahbari , presented her poster “Exposing New Denial of Service Vulnerability in Connection Establishment of Wi-Fi Systems” at the Women in CyberSecurity 2024 Conference, April 11-13 in Nashville, Tenn. Her submission was recognized with a student scholarship.

Recommended News

April 24, 2024

RIT President Munson announces plans to retire in 2025    

WXXI details David Munson's retirement from RIT in 2025, celebrating his contributions to transforming the university into a leading research institution.

April 23, 2024

How thinking like a cartoonist can open your mind   

WXXI talks to cartoonist-in-residence Leigh Rubin about how his book Think Like a Cartoonist inspires creative problem-solving.

RIT President announces his retirement in 2025   

WROC-TV discusses the legacy and future plans of RIT President David Munson as he announces retirement in 2025.

'I have been blessed.' RIT President David Munson to retire in 2025   

The Democrat and Chronicle talks to RIT President David Munson about his 2025 retirement.

You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://nvd.nist.gov

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Information Technology Laboratory

National vulnerability database.

• Vulnerabilities

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

Weakness Enumeration

Change history, new cve received by nist 4/22/2024 7:15:50 pm.

• Phone: +90 (212) 875 19 08
• E-Mail: [email protected]

• Company Profile
• Company Policy
• Mission and Vision
• Certificates
• Aluminium Windows
• Aluminium Doors
• Aluminium Sliding Elements
• Aluminium Curtain Walls
• Aluminium Skylight Elements
• Aluminium Frames for Safety and Security
• Aluminium Conservatories
• Metal Panel Sheet Claddings
• Aluminium Entrance Frames
• Glass Structures
• Complementary Items
• Lightweight Steel Structures
• Human Resources OPEN

Project Description

Project name:, year of construction:, title area:, contractor:.