Principal Research Scientist

SAP Security Research

About me

I am a Principal Research Scientist in the Security Research team at SAP. I am based in Sophia-Antipolis, in Southern France, and I have been with SAP since 2010.

My current focus is primarily on artificial intelligence for source code analysis applied to the field of software security, particularly open-source software.

I was part of the team that invented and developed Eclipse Steady, the tool that SAP has used since 2015 to scan the dependencies of its Java products. In February 2019 my colleagues and I released the vulnerability dataset that fuels Steady at SAP; an extended version of that dataset is now available through project KB.

I am principal investigator of EU-funded Sec4AI4Sec project (2023-2026). I have been principal investigator and technical leader of EU-funded AssureMOSS project (2020-2023).

Since the end of 2021, I serve as a (co-)editor for the Building Security In department of the IEEE Security & Privacy magazine.

Before joining SAP, I was a post-doc fellow and then a full-time researcher at the National Research Council (CNR) (Pisa, Italy), where I spent four years overall.

During my PhD, in 2005 and 2006, I spent 7 months overall as a visiting researcher at Carleton University, Ottawa.

I received my PhD in Computer Science and Engineering from the University of Rome ‘Tor Vergata’ (Italy) in 2007.

You may find additional information about me on LinkedIn and on Google Scholar.

To get in touch with me, just click here and write me a message.


  • Artificial Intelligence
  • Software Security
  • Security of Open-Source Software
  • Software Engineering


  • PhD in Computer Science and Automation Engineering, 2007

    University of Rome 'Tor Vergata'

  • Master's in Computer Science/Engineering, 2003

    University of Rome 'Tor Vergata'



Research Expert (Principal Scientist)

SAP Security Research

Jul. 2019 – Present Mougins, France
  • Automated approaches to identify, assess and mitigate vulnerabilities in open-source components
  • Learning source code representations for machine learning applications
  • Technical lead of EU-funded project AssureMOSS –
  • Lead of the Intelligent Code Analysis program at SAP Security Research
  • Lead of open-source project “KB”

Senior Researcher

SAP Security Research

Mar. 2013 – Dec. 2019 Mougins, France
  • Automated approaches to identify, assess and mitigate vulnerabilities in open-source components
  • Machine learning for software security analysis and vulnerability detection


SAP Security Research

Oct. 2010 – Feb. 2013 Mougins, France
  • Lead architect in EU-funded project Assert4SOA
  • Security certification of Web Services

Post-doc Fellow (2006-2008), then Researcher (2008-2010)


Jan. 2010 – Sep. 2010 Pisa, Italy
I worked in the domain of software testing, performance analysis, and monitoring, particularly in the context of service-oriented systems.

Vising Researcher (II)

Carleton University

May. 2006 – Aug. 2006 Ottawa, Canada

During this second visit at Carleton University, I worked with Dorina Petriu on combining concepts from the aspect-oriented paradigm and graph grammars to represent crosscutting concerns (performance, security) in software models.


Vising Researcher (I)

Carleton University

May. 2005 – Jul. 2005 Ottawa, Canada

Using graph grammars as a way to abstract information from software models, as a preliminary step for futher model transformation to a different target representation.


PhD Candidate

Univ. of Rome ‘Tor Vergata’

Oct. 2003 – Jun. 2007 Rome, Italy

PhD thesis on model-driven methods to automate the performance analysis of software systems

Selected publications (the most cited)


Eclipse Steady

Eclipse Steady supports software development organizations in regards to the secure use of open-source components during application development. The tool analyzes Java and Python applications in order to: detect whether they depend on open-source components with known vulnerabilities, collect evidence regarding the execution of vulnerable code in a given application context (through the combination of static and dynamic analysis techniques), and support developers in the mitigation of such dependencies.


The mission of AssureMOSS is to produce a coherent set of automated, lightweight techniques that allow software companies to assess, manage, and re-certify the security and privacy risks associated with the fast-paced development and continuous deployment of multi-party open software and services (for which we introduce the MOSS acronym).

Intelligent Code Analysis

Deep learning methods, which have found successful applications in fields like image classification and natural language processing, have recently been applied to source code analysis too, due to the enormous amount of freely available source code (e.


  • SAP Labs France -- 805, Avenue Maurice Donat, Mougins, 06254
  • DM Me