Keynotes
From Vulnerability Detection to DevSecOps Productivity
Cristina Cifuentes and Paddy Krishnan (Oracle Labs, Australia)
Over the past two decades we have seen an evolution of the application security landscape including the transitioning from an on-premise environment to a cloud-based one, which transformed the way development teams work, now heavily relying on continuous integration and continuous delivery. For application security, this presented new challenges with a transition to a DevSecOps model where security gets integrated at different levels of the software process and having different constraints on integration of appsec tools.
In this talk we provide our experience over the past close to two decades on development of research in the vulnerability space to scale up methods of detecting vulnerabilities at scale over billions of lines of code and yet remain precise in results from these tools. Our insights led to the development of the Intelligent Application Security (IAS) vision to develop an integrated approach to improving application security including security issue prevention and remediation. We show how one can combine program analysis and synthesis techniques with LLM-based techniques to achieve our vision. These improvements lead not only to better security, they also improve developer productivity.
Cristina Cifuentes
Oracle Labs bio page, drcristinacifuentes on LinkedIn, @criscifuentes on X (Twitter)
Bio
Vice President, Software Assurance, Oracle
Adjunct Professor, The University of Queensland, Australia
Cristina is the Vice President of the Oracle Software Assurance organisation where she leads a team of security researchers and software and machine learning engineers to make application security and software assurance, at scale, a reality. She was the founding Director of Oracle Labs Australia in 2010, where she led a team of researchers and engineers for close to 12 years, with a focus on scaling up Program Analysis techniques in new application security tools. Cristina led and successfully released Oracle Parfait, a static analysis tool used by thousands of C, C++ and Java developers each day. Cristina’s passion for tackling the big issues in the field of Program Analysis began with her PhD work in binary decompilation at the Queensland University of Technology, which led to her being named the Mother of Decompilation for her pioneering contributions to this domain.
Before she joined Oracle and Sun Microsystems, Cristina held academic posts at major Australian Universities, co-edited Going Digital, a landmark book on Cybersecurity, and served on the executive committees of ACM SIGPLAN and IEEE Reverse Engineering. She holds 20+ US patents and over 50 peer-reviewed publications, and has given Keynotes at international Computer Science conferences. Where possible, she channels her interests into mentoring young programmers and minorities in STEM.
Paddy Krishnan
Bio
Paddy is the Research Director and head of Oracle Labs in Brisbane, Australia. His current research interests are in the areas of program analysis, automatic test generation, and program repair focusing on application security. Prior to joining Oracle Labs in 2013, he was an academic for over 20 years with various visiting positions in industry. He got his B. Tech from IIT Kanpur-India, M.S and Ph.D. from the University of Michigan-USA all in Computer Science and Engineering. He is a senior member of the ACM and the IEEE.
Code, Critique, Cure: AI-Augmented Software Maintenance
David Lo (Singapore Management University, Singapore)
What role could AI play in the work of maintaining software systems? This keynote examines the extent to which AI techniques can assist with three essential maintenance activities: coding, critiquing, and curing software. The first part focuses on code, exploring how we can boost the effectiveness of AI models in generating higher-quality code suggestions. The second part addresses critique, illustrating how AI can reason about software vulnerabilities using structured prompts, multi-agent coordination, and learning-based techniques. The third part turns to cure, from history-driven approaches to recent advances that broaden the search for fixes using diverse inputs and reasoning signals. While the methods vary, they reflect a shared goal: to complement human effort in evolving complex software systems. The talk concludes with a brief reflection on the road ahead and open questions for future exploration.
Bio
David Lo is the OUB Chair Professor of Computer Science and Director of the Center for Research in Intelligent Software Engineering (RISE) at Singapore Management University. Championing the area of AI for Software Engineering (AI4SE) since the mid-2000s, he has demonstrated how AI — encompassing data mining, machine learning, information retrieval, natural language processing, and search-based algorithms — can transform software engineering data into actionable insights and automation. Through empirical studies, he has also identified practitioners' pain points, characterized the limitations of AI4SE solutions, and explored practitioners' acceptance thresholds for AI-powered tools. His contributions have led to over 20 awards, including two Test-of-Time awards and eleven ACM SIGSOFT/IEEE TCSE Distinguished Paper awards, and his work has garnered over 35,000 citations. An ACM Fellow, IEEE Fellow, ASE Fellow, and National Research Foundation Investigator (Senior Fellow), Lo has also served as a PC Co-Chair for ASE'20, FSE'24, and ICSE'25.