Dominik Wermke
Bio
Dominik Wermke is an Assistant Professor in the Department of Computer Science at the North Carolina State University. He is a member of the Secure Computing Institute (SCI), the Wolfpack Security and Privacy Research (WSPR) Lab, and the Secure Software Supply Chain Center (S3C2).
His research focuses on computer security, particularly human centered security, examining how security mechanisms intersect with the practices, constraints, and decision making of software developers and related practitioners. He employs mixed methods approaches, including interviews, user studies, surveys, and large scale ecosystem analyses, to identify behavioral patterns, systemic risks, and real world constraints in secure software development.
Prior to NC State, he worked as a researcher at the CISPA Helmholtz Center for Information Security and was part of the TeamUSEC research group for human-centered security. He received his Dr. rer. nat. (PhD equivalent) in computer science from Leibniz University Hannover, Germany in 2023 and both a M.Sc. and B.Sc. from Saarland University, Germany in 2016 and 2015 respectively.
Education
Ph.D. Computer Science Leibniz University Hannover, Germany 2023
M.Sc. Saarland University, Germany 2016
B.Sc. Saarland University, Germany 2015
Area(s) of Expertise
Cyber Security
Software Engineering and Programming Languages
Human-Computer Interaction and User Experience
Publications
- Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security , Network and Distributed System Security (NDSS) Symposium 2025, February 24-28, 2025 (2025)
- Context Matters: Qualitative Insights into Developers' Approaches and Challenges with Software Composition Analysis , In Proceedings of the 34rd USENIX Security Symposium (USENIX Sec '25), August 13-15, 2025 (2025)
- Poster: Computer Security Researchers' Experiences with Vulnerability Disclosures , (2025)
- Research Directions in Software Supply Chain Security , ACM Transactions on Software Engineering and Methodology (2025)
- Your Build Scripts Stink: The State of Code Smells in Build Scripts , Proceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering (ASE) (2025)
- Analyzing Security and Privacy Advice During the 2022 Russian Invasion of Ukraine on Twitter , (2024)
- Decomposing and Measuring Trust in Open-Source Software Supply Chains , 2024 IEEE/ACM 46TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: NEW IDEAS AND EMERGING RESULTS, ICSE-NIER 2024 (2024)
- Security and Privacy Software Creators' Perspectives on Unintended Consequences , In Proceedings of the 33rd USENIX Security Symposium (USENIX Sec '24), August 14-16, 2024 (2024)
- "Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain , In Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P’23) (2023)
- A Viewpoint on Human Factors in Software Supply Chain Security: A Research Agenda , IEEE Security & Privacy (2023)
Grants
Digital innovation is the source of competitiveness and value creation for many types of businesses. The universal desire for rapid digital innovation demands efficient reuse of software code building blocks, which has increased the dependence upon open source and third-party libraries and tools that comprise the software supply chain. Adversaries have moved from finding and exploiting vulnerabilities in end products to a new generation of supply chain attacks where attackers aggressively implant malicious code directly into artifacts in the supply chain and find their way into build and deployment pipelines. Digital innovation depends upon confidence in the software supply chain. As such, our research will enable the following vision: The software industry can rapidly innovate with confidence in the security of their software supply chain. The challenge of software supply chain security has recently received significant interest from industry and government. However, discussions with key stakeholders indicate that the state-of-the-art is preliminary, motivating scientific research to address the underlying fundamental challenges that will limit the practical success of existing approaches. We tackle the challenges of secure software supply chain through three thrusts: prevention, detection, and response, with an explicit objective of moving toward preventing security failures. For each thrust, we consider five hard security problems: (1) Scalability and Composability, such as detecting malicious commits and hardening containers; (2) Policy-governed Secure Collaboration, such as effective use of Software Bill of Materials; (3) Predictive Security Metrics, such as measuring the exploitability of vulnerabilities; (4) Resilient Architectures, such as isolation and sandboxing of components; and (5) Human Behavior, such as studying how to make software developers make more secure decisions. The project will impact the software industry by engaging with current industry players/community, enabling their participation in our research thrusts. Additionally, the project will involve educating the next generation of engineers to eradicate software supply chain security issues and training current employees to make them aware of these issues to help reduce them. To solve these challenging issues, we have created a multidisciplinary proposing team committed to diversity.