With the Bachelor thesis to Las Vegas
The number of newly discovered security vulnerabilities in software is increasing at an ever-increasing rate. At an international congress in Las Vegas, a young German researcher presented the reasons behind this trend. In this interview, Joline Wochnik explains why software is becoming more and more complex – but not necessarily more secure – how she presented her research at the World Congress in Computer Science and why the topic concerns us all.
Joline Wochnik is a data science master’s student and research officer at the Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur). The 24-year-old presented her research paper on the exponential growth of security vulnerabilities – a paper she wrote with co-author Olivia Gräupner and co-authors Prof. Dr. Christian Hummert and Prof. Dr. Michael Spranger – at the 2024 World Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE’24) in Las Vegas. The international conference, to which contributions from 57 countries were submitted, provided a high-caliber forum for their results. The paper originated from Wochnik’s bachelor thesis and was published this year by Springer Nature. In it, Joline Wochnik investigated how rapidly the number of security vulnerabilities in software is increasing and which factors could influence this development. She had already recognized during her studies that security vulnerabilities are a central issue in IT security – and with her research she is now laying the foundation for a better understanding of the phenomenon.
Question: How did it happen that your bachelor thesis took you to a world congress in Las Vegas?
Wochnik: The idea for the topic of security vulnerabilities in software was actually suggested to me by the Cyberagentur’s research director, Prof. Dr. Christian Hummert. I had initially considered several topics for my bachelor’s thesis – but this one really convinced me. Security vulnerabilities play an enormously important role in the cyber security of our time, as we experience almost daily. I therefore found it exciting to investigate how much their number is actually increasing and what the influencing factors are. The bachelor’s thesis then became a scientific paper, which we submitted to the CSCE’24 congress. To my great delight, it was accepted – and so I was able to present it in Las Vegas. This was of course an exciting opportunity: a huge congress with contributions from all over the world. It was very impressive for me to stand on such a stage and present our results to an international audience.
Question: What exactly is your study about? Can you make the topic understandable for laypeople?
Wochnik: With pleasure. Put simply, we investigated how quickly the number of software security vulnerabilities grows over the years. Our hypothesis was that this number follows an exponential trend – in other words, it grows faster and faster, multiplying by the same factor at certain intervals, instead of just increasing evenly. At the same time, we wanted to find out whether this increase could perhaps be explained simply by the fact that software is becoming more and more extensive. Code also grows over time, for example through updates, new functions and programs. We therefore looked at the development of code bases – i.e. how many lines of code there are per piece of software – and compared them with the development of reported security vulnerabilities. The result was quite revealing: the number of discovered security vulnerabilities is actually increasing exponentially, while the code is largely only growing linearly. To put it simply: although the software is constantly getting bigger, the number of security vulnerabilities is increasing even faster. The increase in code size alone cannot therefore explain this rapid increase in vulnerabilities. This suggests that other factors are at play – for example, changes in the quality of the software or simply the fact that more vulnerabilities are being sought worldwide. In any case, this represents a real challenge for cyber security, as an exponential increase in security vulnerabilities presents us with an ever-increasing risk.
Question: Why was it important for you to carry out this investigation now?
Wochnik: We are currently seeing that the digital infrastructure is constantly growing in all areas of life – from the smart home to Industry 4.0. The more software we use, the more important it becomes to understand how security vulnerabilities develop and to work out any reasons for this. Our study provides an initial foundation for systematically recording the increase in security vulnerabilities in code. In doing so, we are creating a basis for further research. Especially now, when cyberattacks and new security vulnerabilities are regularly in the headlines, it is crucial to shed scientific light on such trends. If we understand under what conditions and why security vulnerabilities are increasing so much, we can ultimately develop better strategies to counteract them.
Question: How were your results received at the congress in Las Vegas?
Wochnik: Very positive. My presentation at CSCE’24 seemed to have aroused the interest of the audience – there were many in-depth questions from the audience afterwards. Some experts also approached me personally afterwards to talk about the topic. Of course, I was delighted with this feedback. It shows that our topic resonates worldwide. It was my first time on such a large international stage, especially in Las Vegas – that was really something special. In addition to the presentations, there were also many opportunities for networking – I was able to meet researchers from all over the world. Overall, the conference was an incredibly enriching experience – both professionally and personally.
Question: Your paper has been published by Springer Nature, in a volume alongside many established researchers. How important is such a publication for you as a young scientist?
Wochnik: A publication is very valuable for young scientists – especially if you want to stay on the academic path. Specialist publications draw attention to yourself in the research community and show that you have something to contribute. In our case, we are of course particularly pleased that we are publishing with a renowned publisher. It puts a little exclamation mark behind our work. But in general, every publication helps us to establish ourselves in the research landscape and lay the foundations for further work. I would be delighted if our article inspires other teams to continue researching the topic.
Question: Tell us a little about yourself – how did you get into IT security research?
Wochnik: My path into cyber security research began at Mittweida University of Applied Sciences in Saxony. I completed my bachelor’s degree in general and digital forensics there. During my studies, I was able to work with the Cyberagentur during an internship and came across the topic of the rise of cyber security vulnerabilities, which then became the subject of my bachelor’s thesis. The bachelor’s thesis – and also thanks to some exciting modules during my studies – made me really want to delve even deeper into data analysis. That’s why I’m now studying for a Master’s in Data Science while working. At the same time, I’m continuing to work on research topics at the Cyberagentur. I find the combination of practice and study very enriching and a lot of fun. At the end of my Master’s degree, I would also like to look back on my previous research and see what I might do differently with the knowledge I have today.
Question: What are the next steps in this research topic? Will you continue to investigate the development of security vulnerabilities?
Wochnik: As I said, I see our work as an impetus for further studies in this area. The data we have collected certainly offers many starting points. I could also imagine perhaps exploring the topic in more depth in a doctoral project later on – but only time will tell. First of all, it is important that awareness grows: as a society, we should take software security vulnerabilities and their dynamics seriously. If we understand the influencing factors better, we can achieve a lot for everyone’s digital security. The long-term view in particular – for example, whether the exponential trend will continue – is crucial. For me personally, it’s clear that I want to stay in cyber security research. The world is becoming more and more digital and I want to do my bit to make it more secure.
Further information and registration: