Publications

This paper introduces community-developed guidelines for conducting and reporting empirical software engineering studies involving large language models (LLMs). It presents a taxonomy of study types and eight key recommendations to improve transparency, reproducibility, and replicability—covering areas such as model documentation, prompt reporting, tool architecture, and human validation.

This study empirically analyzed 1,000 pull requests from 100 open-source projects to examine how code review comments on GUI-based tests align with proposed review guidelines. Results showed that 81% of comments matched these guidelines—especially around testing techniques and exception handling—confirming their practical relevance and value for improving the quality and consistency of GUI-based test reviews.

Continuous Security Compliance is crucial for adopting Continuous Software Engineering in highly regulated domains, but traditional manual compliance methods are resource-intensive and error-prone, and the field lacks sufficient research. This paper defines continuous security compliance, outlines key challenges through a tertiary study, and proposes a research roadmap developed in collaboration with an industry partner to advance automation in this area.

This study explores the integration of research software testing into teaching, demonstrating that such efforts can improve research software quality—particularly documentation and dependency management—while also exposing students to real-world research software engineering. However, despite thoughtful student contributions, challenges such as unclear intellectual property rights and lack of incentives hinder the direct reuse of student code, limiting the full potential of this approach.

Through an industrial case study, we examine how automated security findings management can be integrated into DevOps workflows. Our findings show significant improvements in vulnerability response times and developer productivity.

The intersection of security and continuous software engineering remains a critical focus as agile and DevOps practices continue to shape development processes, with growing academic and practical interest in secure methodologies. This work summarizes validated challenges identified through practitioner engagement and outlines four key research directions to guide future efforts in scalable, secure continuous software engineering.

This report introduces RefA, a reference architecture designed to support security-compliant DevOps by outlining relevant artefacts, practice areas, and the roles of people, processes, and technology. Developed through standards analysis, literature review, and industrial experience, RefA serves both practitioners aiming to assess secure DevOps lifecycles and researchers shaping future security-focused studies.

This study investigates the integration of automated security activities within CI pipelines of enterprise-driven open source projects, revealing that such practices are rare despite maintainers recognizing the importance of security. By analyzing over 8,000 repositories and surveying project maintainers, the research highlights a significant gap in security automation and suggests areas for practical improvement and further study.