Seminars

In February 2019, the Software Institute started its SI Seminar Series. Every Thursday afternoon, a researcher of the Institute will publicly give a short talk on a software engineering argument of her choice. Examples include, but are not limited to, novel interesting papers, seminal papers, personal research overview, discussion of preliminary research ideas, tutorials, and small experiments.

On our YouTube playlist you can watch some of the past seminars. Below you can find more details on the next seminar, the upcoming seminars, and an archive of the past speakers.

Everyone is welcome to attend the seminars organized by the Software Institute.

Next Speaker: Diana Carolina Muñoz Hurtado

Date: December 4, 2025 @ 16:30

Location: D0.03

Chair: Alessandro Giagnorio

Web Service API Security Inside Out

Application programming interfaces (APIs) enable Web services to securely interact and exchange information. The growing prevalence of malicious packages in software repositories has heightened efforts to identify malware in software dependencies, posing critical challenges for Web API developers and security teams. In this talk, we explore the dependency landscape of Web Service APIs by examining a curated collection of open-source GitHub repositories across five major programming languages (JavaScript, Java, Python, Ruby, and Go). We study the historical evolution of dependencies throughout the commit history of each repository, tracking the total number of dependencies as well as the prevalence and persistence of deprecated, unofficial, and vulnerable packages over time. Packages are associated with vulnerabilities according to the Open Source Vulnerabilities (OSV) database. We provide a quantitative assessment of their usage, exploring the relationship between the security components of OpenAPI descriptions.

Biography

I am a Ph.D student in the DESIGN (Architecture, Design and Web Information Systems Engineering) research group at the software institute USI, Lugano, supervised by Prof. Dr Cesare Pautasso. In 2022 I receive my Master’s degree in Software Engineering from the Pontificia Universidad Javeriana from Colombia. I worked for 4 years as a Technical Consultant in ACI Worldwide. My current research focuses on security practices in web service APIs, applying mining and historical analysis techniques to study the evolution and risks of dependencies (vulnerable, obsolete, and unofficial packages) throughout the entire commit history of GitHub repositories, and how the security schemes documented in OpenAPI specifications correlate with different patterns of dependency usage and exposure to vulnerabilities in real-world APIs.

Program

• Aitor Arrieta

  December 11, 2025

Archive

• Carmen Armenti - Software Sonification: What We've Built, What We've Learned, and Where We're Going (November 27, 2025)
• Davide Paolo Tua - Writing an emulator from scratch. The good, the bad and the painful (November 6, 2025)
• Adam Štěpánek - Visualizing Software Playfully: A Case Study of Helveg (October 30, 2025)
• Hassan Atwi - BPMN4BC: A Simple BPMN Extension for Blockchain-Enabled Business Process Modeling (October 23, 2025)
• Alessandro Giagnorio - Teaching Exotic Programming Languages to Large Language Models (October 16, 2025)
• Shifat Sahariar Bhuiyan - Clusters Predict Mutant Kills: Selecting Input Generators by Cluster Coverage (October 9, 2025)
• Luca Chiodini - The Illusion of Thinking? (October 2, 2025)
• Marco Raglianti - Dataset Not Anonymized, Reject. A Personal Account of Ethics, Privacy, and Anonymization Issues in SE Research. (September 25, 2025)
• James Zheng - From Probabilistic Testing to Certifiable AI: Large Language Models and Neuro‑Symbolic Reasoning for Verifiable Autonomous Systems (July 11, 2025)
• Srđan Krstić - Proactive Real-Time First-order Enforcement (May 22, 2025)
• Edoardo Riggio - The SUNBURST Wake-Up Call: Why CI/CD Security Matters Now More Than Ever (May 8, 2025)
• Nargiz Humbatova - Real Faults in Deep Learning Fault Benchmarks: How Real Are They? (April 17, 2025)
• Giuseppe Crupi - Cost-Efficient Software Automation with Cooperative Small Language Models (April 10, 2025)
• Joe Gibbs Politz & Robby Findler - Double Talk: (1) Teaching JITs/incremental compilers + (2) Esterel in Racket (April 4, 2025)
• Marco Paganoni - Reasoning about Substitutability at the Level of JVM Bytecode (April 3, 2025)
• Tommi Mikkonen & Kari Systä - LiquidAI: Orchestrating Cloud-Edge Continuum with Isomorphic Software (March 20, 2025)
• Andrea Mocci - Eternal Sunshine of the Spotless Macros (March 13, 2025)
• Masoud Jamshidiyan Tehrani - Adversarial Attacks on Deep Learning-Based Perception in Autonomous Vehicles: Designing and Evaluating System-Level Failures (March 6, 2025)
• Dominik Winterer - Formal Methods Engineering (FME): Towards More Mature Formal Methods (February 27, 2025)
• Angelo Gargantini - A formal approach to software engineering for the Validation and Verification of safety critical systems (January 28, 2025)
• Alessio Gambi - Beyond Scenario-based Testing of Single Ego Vehicles (January 27, 2025)
• Akshatha Shenoy - Verification of Concurrency Properties for JVM based Programming Languages (December 5, 2024)
• Rosalia Tufano - Deep Learning-based Code Reviews: A Paradigm Shift or a Double-Edged Sword? (November 28, 2024)
• Gianmarco De Vita - Topographical Deep Learning Testing (November 21, 2024)
• Jesper Findahl - From Pandas to Polars: Achieving 50x Speedups and Scaling Beyond Memory Limits (November 14, 2024)
• Cesare Pautasso - Unethical Software Engineering in 8 Easy Dark Patterns (November 7, 2024)
• Samuele Pasini - Evaluating and Improving the Robustness of Security Attack Detectors Generated by LLMs (October 24, 2024)
• Mathieu Nassif - On-Demand Documentation via Code Examples (October 17, 2024)
• Luca Chiodini - What Does It Mean To Learn? (October 10, 2024)
• Hassan Atwi - Transparent Transaction Ordering in Blockchain-based Collaborative Processes (October 3, 2024)
• Jinhan Kim - When Simple is Better than Complex: Coverage and Mutation for DL Testing (September 26, 2024)
• Guadalupe Ortiz - Context Aware Collaborative IoT Services in a Smart World (July 22, 2024)
• Domenico Bianculli - Signal-based temporal properties for cyber-physical systems: specification, monitoring, and diagnostics (June 13, 2024)
• Tahereh Zohdinasab - Exposing and Explaining Misbehaviours of Deep Learning Systems – A Summary (May 23, 2024)
• Paolo Falcarin - Software Systems Compliance with the AI Act (May 21, 2024)
• Joey Bevilacqua - Assessing the Understanding of Expressions: A Qualitative Study of Notional-Machine-Based Exam Questions (May 16, 2024)
• - Developers Developers Developers (May 2, 2024)
• Alberto Martín López - Neuro-Symbolic AI for Developing, Testing and Consuming Web APIs: An AMBIZIONE Project Proposal (April 25, 2024)
• Alessandro Giagnorio - Customizing deep learning models for code completion tasks (April 11, 2024)
• Francesco Bresciani - Abusing GitLab CI/CD to build a data engineering pipeline (March 14, 2024)
• Andréa Cristina de Souza Doreste - Adversarial Testing with Reinforcement Learning: A Case Study on Autonomous Driving (March 7, 2024)
• Carlo Ghezzi - Rethinking software engineering research and education in the light of digital humanism (February 29, 2024)
• Diana Carolina Muñoz Hurtado - Exploring Security Practices in OpenAPIs (December 7, 2023)
• Carmen Armenti - Data Sonification - A Survey (November 30, 2023)
• Mauricio Aniche - Effective developer testing: lessons I learned over time (November 23, 2023)
• Antonio Mastropaolo - Evaluating Code Summarization Techniques: A New Metric and an Empirical Characterization (November 16, 2023)
• Michele Lanza - Bibliometrics, the Great Beyond of Science? (November 9, 2023)
• Carlo Alberto Furia - Don't Jam the LHC: A causal analysis of Code Jam data (October 26, 2023)
• Rosalia Tufano - Code Review Automation: Strengths and Weaknesses of the State of the Art (October 12, 2023)
• Agnese Zamboni & Matthias Hauswirth - 'Program Your Own Castle' - Developing a Self-Guided Tutorial for the Hour of Code (October 5, 2023)
• Roberto Pietrantuono - Causal reasoning for software quality engineering (June 15, 2023)
• Vincenzo Orrei - Contribution-based Firing of Developers? (May 25, 2023)
• Patric Genfer - On the Understandability of Security Tactics for Microservice APIs (May 16, 2023)
• Marco Paganoni - ByteBack: Deductive Functional Verification of Bytecode programs (May 11, 2023)
• Marco Raglianti - Research Code as Infrastructure (RCaI) (May 4, 2023)
• Souhaila Serbout - What about Web APIs versioning? (April 27, 2023)
• Paolo Tonella - Mind, consciousness and ChatGPT: can ChatGPT impute unobservable mental states to others? (April 6, 2023)
• Alberto Bacchelli - Exploring the Dual Nature of Code Review: Implications for Investigative Methods and Tool Development (March 30, 2023)
• Gabriele Bavota - On Reviewers' Regrets and Negative Results (March 23, 2023)
• Magnus O. Myreen - The CakeML Project: Chasing End-to-End Correctness, Verified Compilation and Applications (March 16, 2023)
• Luca Chiodini - Teaching problem decomposition with graphics (March 9, 2023)
• Dimi Racordon - The bright future between immutability and aliasing restrictions (March 2, 2023)
• Hassan Atwi - Toward Decentralized Process Execution (December 1, 2022)
• Sajad Mazraehkhatiri - Testing Drones in Simulation: Let's Be Realistic! (November 24, 2022)
• Csaba Nagy - Perils and Pitfalls of the Application-Database Gap (November 17, 2022)
• Marco D'Ambros - CodeLounge: a roller-coaster ride (November 10, 2022)
• Matteo Biagiola - Reinforcement Learning for Software Testing (November 3, 2022)
• Matthias Hauswirth - Pitfalls in Teaching Programming (October 20, 2022)
• Davide Paolo Tua - An ECS Primer (October 13, 2022)
• Nargiz Humbatova - DeepCrime: Mutation Testing of Deep Learning Systems Based on Real Faults (October 6, 2022)
• Mohammad Rezaalipour - FauxPy: A Fault Localization Tool for Python Programs (September 29, 2022)
• Crista Lopes - Exercises in Programming Style (September 9, 2022)
• Michele Tufano - Unit Test Case Generation with Transformers and Focal Context (June 20, 2022)
• Valerie Burgener - React 101 (May 19, 2022)
• Diego Venâncio Marcílio - Towards Untangling Java Exceptions (May 12, 2022)
• Bin Lin - Academic Job Search: An Experience Report (April 28, 2022)
• Michael Weiss - Uncertainty-Wizard: Fast and User-Friendly Neural Network Uncertainty Quantification (April 7, 2022)
• Matteo Ciniselli - On automatically generating source code (March 31, 2022)
• Aron Fiechter - Creating a Domain Specific Language in Kotlin Using Type-Safe Builders (March 24, 2022)
• Emad Aghajani - 5 Years of Research: Lessons Learned (March 17, 2022)
• Andrea Stocco - Testing and Evaluation of Autonomous Driving Systems: From Simulated to Real-world Test Environments (March 10, 2022)
• Luca Pascarella - Fine-Grained Code Summarization (March 3, 2022)
• Alessio Merlo - Mobile Apps: The Dark Side of the Droid (December 6, 2021)
• Vincenzo Riccio - Automated Test Input Generation to Check if the Machine Actually Learned (December 2, 2021)
• Jesper Findahl - What’s Up With the CodeLoungers?
  AKA what are CodeLoungers doing all day (November 25, 2021)
• Carlo Alberto Furia - When does correlation imply causation? (November 18, 2021)
• Antonio Mastropaolo - Supporting code-related tasks via Deep-Learning (November 11, 2021)
• Andrea Gallidabino - Do you understand the code you write? 'I hope the TAs won't look at this!' (November 4, 2021)
• Igor Moreno Santos - Towards sound notional machines: a Lambda Calculus crash course (October 28, 2021)
• Gunel Jahangirova - Quality Metrics and Oracles for Autonomous Vehicles Testing (October 21, 2021)
• Marco Raglianti - Visualizing Discord Servers - definitely not a virtual conference video replay (October 14, 2021)
• Anthony Cleve - Analyzing and Supporting the Evolution of Data-Intensive Systems (October 7, 2021)
• Bhargav Bhatt - Datalog Synthesis and Repair (September 30, 2021)
• Rosalia Tufano - Towards Automating Code Review Activities (May 27, 2021)
• Cesare Pautasso - Presentations as Code (May 20, 2021)
• Luca Chiodini - A Curated Inventory of Programming Language Misconceptions (May 6, 2021)
• Andrea Mocci - How does CodeLounge develop? (April 29, 2021)
• Fabio Di Lauro - Towards Large-scale Empirical Assessment of Web APIs Evolution (April 22, 2021)
• Michele Lanza - History is not a burden on the (computer) memory but an illumination of the (software engineering researcher's) soul (April 15, 2021)
• Tahereh Zohdinasab - Explaining Deep Learning Systems by exploring their feature space (March 25, 2021)
• Roberto Minelli - DFlow is dead. Long live Tako! (March 18, 2021)
• Souhaila Serbout - Structural Patterns Mining in Web APIs (March 11, 2021)
• Paolo Tonella - Deep Learning Testing: problems, solutions and elephants (March 4, 2021)
• Gabriele Bavota - On Lessons Learned while Replicating my Own Research (December 10, 2020)
• Matthias Hauswirth - Rainfall and LuCE: The Difficulty of Learning to Program (December 3, 2020)
• Nargiz Humbatova - Mutation Testing of Deep Learning Systems (November 26, 2020)
• Alejandro Mazuera Rozo - Investigating types and survivability of performance bugs in mobile apps (November 19, 2020)
• Matteo Biagiola - Testing the plasticity of reinforcement learning based systems (November 12, 2020)
• Csaba Nagy - Analyzing SQL Queries Embedded in the Source Code (November 5, 2020)
• Mohammad Rezaalipour - Deep Neural Network Bugs and the Challenges of Repairing Them (October 29, 2020)
• Luca Pascarella - Augmented Fine-Grained Defect Prediction for Code-Review (October 22, 2020)
• Diego Venâncio Marcílio - SpongeBugs: Automatically Fixing Static Analysis Tools Violations (October 15, 2020)
• Michael Weiss - Detecting Uncertainty in Deep Learning (February 27, 2020)
• Christoph Treude - Uncovering the best parts of software documentation (January 28, 2020)
• Bhargav Bhatt - DroidPLUMB: Repairing Resource-Leak bugs with Static Analysis (December 5, 2019)
• Jesper Findahl - TypeScript - what is that and why should I care? (November 28, 2019)
• Francesco Magagnino - Envisioning the future of the customer interaction (November 21, 2019)
• Armin Heinzl - How Pair Programming Influences Team Performance: The Role of backup-behavior, shared mental models, and task novelty (November 7, 2019)
• Davide Paolo Tua - Time Evolving Voronoi Treemaps for Metrics Visualization (October 31, 2019)
• Bin Lin - Program Comprehension at ICSME 2019 (October 24, 2019)
• Ana Ivanchikj - Discovering Imgur API – Controlled Experiment (October 17, 2019)
• Marco D'Ambros - Dashboarding your inbox for fun and profit (October 3, 2019)
• Emad Aghajani - Software Documentation: How far we've come, and challenges ahead (September 26, 2019)
• Andrea Stocco - Black-box Confidence Estimation for Misbehavior Prediction in Autonomous Driving Systems (September 19, 2019)
• Jacopo Tagliabue - Less (Data) Is More: Why Small Data Holds the Key to the Future of Artificial Intelligence (June 24, 2019)
• David Clark - The Theory of Testing Programs - An Information Theoretic View (June 19, 2019)
• Jan Vitek - Getting everything wrong without doing anything right! (June 13, 2019)
• Hridesh Rajan - Software as Data (June 12, 2019)
• Alejandro Mazuera Rozo - SOFIA: An Automated Security Oracle for Black-Box Testing of SQL-Injection Vulnerabilities (May 23, 2019)
• Jevgenija Pantiuchina - On the Naturalness of Buggy Code (May 16, 2019)
• Richard Torkar - Why do we encourage even more missingness when having missing data? (May 9, 2019)
• Fengcai Wen - Neural-Machine-Translation-Based Commit Message Generation: How Far Are We? (May 2, 2019)
• Vincenzo Riccio - A Day in the (Activity) Lifecycle (April 18, 2019)
• Luis Mastrangelo - Casting about in the Dark (April 11, 2019)
• Gunel Jahangirova - Mutation Testing of Deep Learning Systems (April 4, 2019)
• Andrea Mocci - The Tale of 'Quattro Tabelle' (March 28, 2019)
• Carlo Alberto Furia - Why You Should Use Bayesian Statistics for Empirical Software Engineering (March 7, 2019)
• Csaba Nagy - Beauty and the Beast: True Stories of Evolving Software Systems (February 28, 2019)
• Andrea Gallidabino - Liquid Software: Multi-Device Adaptation with Liquid Media Queries (February 21, 2019)

Load more...