About Me
I am a Ph.D. student with research focusing on creating code analysis tools to assist developers by identifying cryptographic misuse in software repositories. My tools save developers time by using on-demand static code analysis to specifically scan for the cryptographic rules that may be broken. My tools also show higher precision than existing tools to ensure developers pay attention to the results. I also utilize several formats for my results to fit into many different DevOps tools and fit nicely into the development lifecycle.Focusing on the source of the vulnerabilities will provide better long-term solutions as opposed to continuing patching the issues. My application-focused research allows me to provide direct impact to current and upcoming vulnerabilities.
I enjoy working on side projects to help developers secure their code.
Bio
Email
VA, U.S.A
Areas of Interest
- Static Code Analysis
- Dynamic Code Analysis
- Malware/Virus Analysis
- Prompt Engineering
- LLM
- Machine Learning
- Privacy Analysis
- Quantum Computing
- Data Analysis
- Scripting
Education
Ph.D. Computer Science at Virginia Polytechnic Institute and State University
May 2020 - Present (Expected May 2024)
I have been working under Dr. Danfeng Yao on Cryptoguard related projects and other static analysis projects. I have also been joining various groups (located at the bottom) as well as taking more security-oriented courses and enjoying the mountains.
M.S. Computer Science at Virginia Polytechnic Institute and State University
August 2018 - May 2020
I have been working under Dr. Danfeng Yao on Cryptoguard related projects and other static analysis projects. I have also been joining various groups (located at the bottom) as well as taking more security-oriented courses and enjoying the mountains.
B.S. Computer Engineering at University of Cincinnati
August 2013 - April 2018
During my Undergraduate Program, I learned a lot throughout the classes I took and the Co-Ops I was a part of. The Co-Ops was the best part of the degree, as it gave me real-world experience and a chance for practical application.
Submissions
Methods and Benchmark for Detecting Cryptographic API Misuses in Python at IEEE TSE
March 2023 - Currently Under Review
Our tool Cryptolation successfully scans complex Python code based on our 18 preset rules.
April 2023
Our tool Cryptolation successfully scans complex Python code based on our 18 preset rules. Despite our high precision, we will reduce its memory and linear-time performance based on the number of dynamic ASTs allowed by the developer.
September 2021
Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs can cost developers tremendous time and effort, introduce security vulnerabilities to software, and cause serious consequences like data leakage or Denial of Service (DoS) on servers. Our tutorial aims to educate people on the best practice of secure coding, the pitfalls that should be avoided, and the detection tools and fixing suggestions of insecure code.
September 2020
November 2019
Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) pro- grams is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis qual- ity, this goal has not been accomplished. CryptoGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, Cryp- toGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generated many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made progress towards the science of analysis in this space, including manually analyzing 1,295 Apache alerts, confirming 1,277 true positives (98.61% precision), and in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity.
May 2020
The increasing development speed via Agile[1] may introduce overlooked security steps in the process, with an example being the Iowa Caucus application[2]. Verifying the protection of confidential information such as social security numbers requires security at all levels, providing protection through any connected applications. CryptoGuard[3]1 is a static code analyzer for Java. This program verifies that developers do not leave vulnerabilities in their application. The program aids the developer by identifying cryptographic misuses such as hard-coded keys, weak program hashes, and using insecure protocols. In my Master thesis work, I made several important contributions to improving the deployability, accessibility, and usability of CryptoGuard. I extended CryptoGuard to scan source and compiled code, created live documentation, and supported a dual cloud and local tool-suite. I also created build tool plugins and a program aid for CryptoGuard. In addition, I also analyzed several Java-related surveys encompassing more than 50,000 developers and reported interesting current practices of real-world software developers.
November 2019
Cryptographic API misuses seriously threaten software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. How- ever, the vision of producing a scalable detection tool that devel- opers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifi- cally, we design inter-procedural program slicing on top of a new on- demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 An- droid apps also generated many security insights. We created a comprehensive benchmark named CryptoApi-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of inte- grating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous soft- ware assurance and static code analysis.
Talks
September 2021
Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs can cost developers tremendous time and effort, introduce security vulnerabilities to software, and cause serious consequences like data leakage or Denial of Service (DoS) on servers. Our tutorial aims to educate people on the best practice of secure coding, the pitfalls that should be avoided, and the detection tools and fixing suggestions of insecure code.
TA: Course SQL Injection Demo at YouTube
November 2020
TA: Course Project Demo at YouTube
November 2019
September 2020
Projects
FRAC at GitHub Repo
2023 - Present
This is a fully static, client-side, proof of concept code analysis platform. I was inspired by the late Software Assurance Marketplace (SWAMP). SWAMP was both a public and private platform that allowed users to upload source code and run various code analysis tools on their code. While hosting their own public cloud instance, they were also able to package the platform for private installation; extending the platform to DoD or government agencies. Unfortunately the project was closed due to funding issues. Since there seemed to be no static platform that had the same capabilities of SWAMP, I waited until the technology was available to make a mvp myself. Currently Frantzs Rule Analysis Checker (FRAC), as it is currently named, is a compiled single and fully static html page. A user is able to write in Python source code, click the button to scan the source code with all of the tools currently supported, and see each of the tools results. This process is supported by Pyodide, a WASM based Python runtime, enabling the entirety of the process to run inside the browser itself. The process is not saved elsewhere and the results are not transmitted elsewhere. I have only added the base Google Analytics to see how many people visit the site. As this is a live project there will be ongoing additions. Please visit the website page itself at https://rebrand.ly/frantzme_frac for more details.
Topics: GitHub Actions, Python, Python3, Static Analysis, Website, Code Analysis, Platform, Privacy, Security
Topics: GitHub Actions, Python, Python3, Static Analysis, Website, Code Analysis, Platform, Privacy, Security
Scripts | funbelts at GitHub Repo
2022 - Present
This repository originally started off as a internal collection of various Python utilities I would use with testing capabilities. Not just limited to Python scripting, it also includes links to dockerPush.py which simply aides my use of Docker. I also packaged the python utilities under the PyPi name funbelts. While I originally thought I would be the only user of the package, I have heard it make some waves. Fortunately it seems there have been thousands of downloads, so hopefully others find this package helpful.
Topics: Docker, Docker-Compose, GitHub Actions, Python, Python3, Portable Environment, Cross-Platform
Topics: Docker, Docker-Compose, GitHub Actions, Python, Python3, Portable Environment, Cross-Platform
2019 - 2019
This was a class project created for an Advanced Machine Learning class. The purpose of this project was to replicate an existing papers work and to add onto it. For this, my group chose to replicate the paper WaveNet and to enhance the results by running it on music samples. Unfortunately, we were unable to create any sound samples that mimic actual music, however from the website, there is a clear improvement in the music generation from the models.
Topics: ML, Machine Learning, GAN, Music Generation, Python, Live, Online
Topics: ML, Machine Learning, GAN, Music Generation, Python, Live, Online
GradleGuard at GitHub Repo
2019 - 2020
This is the Gradle plugin for my thesis project Cryptoguard. This was created to help ease the access and use for developers to be able to use Cryptoguard.
Topics: Gradle, Java, Build System, Build Tool, Code Analysis
Topics: Gradle, Java, Build System, Build Tool, Code Analysis
MavenGuard at GitHub Repo
2019 - 2020
This is the Maven plugin for my thesis project Cryptoguard. This was created to help ease the access and use for developers to be able to use Cryptoguard.
Topics: Maven, Java, Build System, Build Tool, Code Analysis
Topics: Maven, Java, Build System, Build Tool, Code Analysis
CryptoGuard at GitHub Repo
2019 - 2020
This is a static and compiled code analyzer, serving as my current thesis project. This project will scan cryptographic misuse in Java Projects (Maven/Gradle based) and Android Projects. Recent works with this project have included making an enhanced interface for this to work with other programs and tools.
Topics: Java, Build System, Build Tool, Code Analysis, Cryptography, Analysis
Topics: Java, Build System, Build Tool, Code Analysis, Cryptography, Analysis
Cryptolation at GitHub Repo
2020 - Present
A Python static code analysis tool.
Topics: Python, Code Analysis
Topics: Python, Code Analysis
PyCryptoBench at GitHub Repo
2020 - Present
A purposely vulnerable cryptographic dataset to help advanced code analysis tools. Feel free to download this sqlite or use it live at DBHub.
Topics: Python, Benchmark, TestBed
Topics: Python, Benchmark, TestBed
Utils
Mystring at GitHub Repo: 
2020 - Present
A Python project that started out as a simple Python string wrapper that provided extra utilities. This has expanded in scope to different object types, such as dataframes, but always providing useful utilities to each data object.
Hugg at GitHub Repo: 
2020 - Present
A Python project that provided a very simple common interface between different data storages. What seperates this interface is the low requirements for each interface and the focus on scripting the files.
Sdock at GitHub Repo: 
2020 - Present
A Python project that started out as a common way to interact with Docker commands through Python. There is the basis for additional capabilities within Virtual Box, Ansible, and others. This work has been currently delayed however.
Splunkr at GitHub Repo: 
2020 - Present
A Python wrapper to expose the Splunk HTTP Event Collector provided from this post to PyPi. No work has been done to the internal script and the original script remains the work of the original poster.
Xcyl at GitHub Repo: 
2020 - Present
A very basic Python project that stands to be a simple interface between raw data files, such as sqlite and excel files. This is still in its infancy.
Ephfile at GitHub Repo: 
2020 - Present
A Python project to extend the capabilities of temporary files. While the current tempfile module provides the capability to create temp files, this library allows users to automatically write to the files and automatically get the file path.
Gett at GitHub Repo: 
2020 - Present
A Python wrapper to re-expose the wget source code provided from this post to PyPi. The only change I have done is to fix an issue with handling files that don't have a file extension.
Bal_Fileops at GitHub Repo: 
2020 - Present
A Ballerina Project that simply manages file operations, such as reading, writing, and overwriting files.
Bal_Generics at GitHub Repo: 
2020 - Present
A Ballerina Project that provides a simple set of generics to the Ballerina log module. This also tries to have simple operators working alongside the generics.
Bal_Strings at GitHub Repo: 
2020 - Present
A Ballerina Project that provides extra operators and helpers to the string module..
Logg at GitHub Repo: 
2020 - Present
A Ballerina Project that helps to create a general logging interface.
Repos at GitHub Repo: 
2020 - Present
A Ballerina Project that creates the ability to sift through GitHub repositories and retrieve their files.
Splunk at GitHub Repo: 
2020 - Present
Similar to franceme/splunkr, this Ballerina library aims to create the functionality to communicate with a Splunk Http event collector.
My Docker Setup
Why did I do this? Simply to create an inheritence based environment tool chain. If I need a common utility between two docker images, I just include it in BaseDocker and the changes will trickle down. Many of these are private simply due to various custom builds processes I use.
Work Experience
Graduate Teaching Assistant at Virginia Polytechnic Institute and State University
06/11/2023 - Present
Helping the students and procedurally grading the assignments.
1/2 Graduate Teaching Assistant at Virginia Polytechnic Institute and State University
01/01/2023 - 06/11/2023
Helping the students and procedurally grading the assignments.
1/2 Graduate Research Assistant at Virginia Polytechnic Institute and State University
01/01/2023 - 06/11/2023
Currently researching prompt engineering within ChatGPT and other LLMs.
Skills: Prompt Engineering, LLM, ChatGPT
Skills: Prompt Engineering, LLM, ChatGPT
Graduate Research Assistant at Virginia Polytechnic Institute and State University
08/16/2022 - 01/01/2023
Currently researching malware, source code, and their identification.
Skills: Static Analysis, Mitosheet, Cuckoo, Attack Surface Evaluation, Red Team
Skills: Static Analysis, Mitosheet, Cuckoo, Attack Surface Evaluation, Red Team
Intern at Peraton
06/11/2022 - 08/16/2022
As an intern within an Internal Research and Development team, I was able to create a brand new framework to assist the team meet their security promises. It was not just limited to security but also paved the way for various intergrations, such as compliance, policies, metrics, and many more. I was also the point of contact between the team and several independent security companies.
Skills: Static Analysis, Dynamic Analysis, Software Composition Analysis, Attack Surface Evaluation, Red Team
Skills: Static Analysis, Dynamic Analysis, Software Composition Analysis, Attack Surface Evaluation, Red Team
Graduate Teaching Assistant at Virginia Polytechnic Institute and State University
08/01/2021 - 05/01/2022
Assisting students with their problems. Enhancing the autograding capabilities via Python scripting.
Skills: Static Analysis, Canvas Scripting, Mitosheet, VirtualBox, Attack Surface Evaluation, Red Team
Skills: Static Analysis, Canvas Scripting, Mitosheet, VirtualBox, Attack Surface Evaluation, Red Team
Graduate Research Assistant at Virginia Polytechnic Institute and State University
01/19/2021 - 08/01/2021
Researching Static Code Analysis for my future project. Creating and examining dynamic test bench. Creating reproducible testing for future additional tests.
Skills: Static Code Analysis, Reproducible testing, Dynamic Languages
Skills: Static Code Analysis, Reproducible testing, Dynamic Languages
Graduate Teaching Assistant at Virginia Polytechnic Institute and State University
08/05/2020 - 12/20/2020
Helped record videos for the lab lectures.
Skills: Managing Students, Handling Lectures, Detailing and Recording Labs
Skills: Managing Students, Handling Lectures, Detailing and Recording Labs
Intern at Oracle
01/19/2021 - 01/19/2021
Due to Covid the internship was not started.
Graduate Research Asssistant at Virginia Polytechnic Institute and State University
07/31/2019 - 07/31/2020
Created a live Jupyter notebook for extended documentation on Cryptoguard use. Worked on the open-source project Cryptoguard. Exploring various avenues to make Cryptoguard more easily available. Created both Gradle and Maven plugin supporting Cryptoguard within the build process (IDE independent). Creating a live Java Jupyter notebook through MyBinder for live and public demonstrations.
Skills: Cryptoguard, Jupyter Notebook, IJava Jupyter Notebook, Gradle Plugin, Maven Plugin, Dockerfile
Skills: Cryptoguard, Jupyter Notebook, IJava Jupyter Notebook, Gradle Plugin, Maven Plugin, Dockerfile
Internship at Worldpay from FIS
05/03/2019 - 07/31/2019
Enhanced multiple Tasktop integrations by making custom JavaScript logic. Improved Terraform scripts to dynamically build Virtual Machines. Enabled the Open Source Project Hygieia for system and tool monitoring. Implemented a Python3 script to track Hygieia usage and automatically start and stop the project. Enabled users to work with various tools owned and managed by the team.
Skills: Hygieia, Tasktop, Github Enterprise, Splunk, Nexus, Jenkins, Terraform, Ansible, Teamforge, Rally, TFS, Checkmarx, DataPower, XLDeploy, XLRelease, DevOps, DexVMs, DevSecOps, Bash
Skills: Hygieia, Tasktop, Github Enterprise, Splunk, Nexus, Jenkins, Terraform, Ansible, Teamforge, Rally, TFS, Checkmarx, DataPower, XLDeploy, XLRelease, DevOps, DexVMs, DevSecOps, Bash
Graduate Research Assistant at Virginia Polytechnic Institute and State University
10/01/2018 - 05/03/2019
Worked with an external consumer to create a specific output adapter for their service. Designed a system to create any of three different outputs dependent on the user. Worked on the open-source project Cryptoguard. Used a design akin to common flat data-base designs.
Skills: Cryptoguard, Research Skills, Soot, Modularization Design, Adapter Design, Abstract Factory
Skills: Cryptoguard, Research Skills, Soot, Modularization Design, Adapter Design, Abstract Factory
Graduate Teaching Assistant at Virginia Polytechnic Institute and State University
07/01/2018 - 12/19/2018
Helped split the students into anonymized groups for a research study. Helped the students out with their inquiries. Graded various student assignments including the finals.
Skills: Managing Students, Grading Reports, Creating Groups
Skills: Managing Students, Grading Reports, Creating Groups
Co-Op at Worldpay from FIS
01/09/2017 - 08/12/2017
Fundamentally enhanced a highly utilized SOAP API with an overall average response time < 100 ms. Mentored two Computer Science Students. Enhanced and rectified various incidents on existing Java/Webmethods Webservices. Designed several SOAP Webservices. Created an API that supports both SOAP and REST as a POC. Combined Reflection and Aspect-oriented programming to dynamically filter Java SOAP API output. Worked closely with a DevOps team to support and showcase both XL Deploy and XL Release using internal APIs. Trained two other interns on the team and led several KT sessions.
Skills: Java EE, JUnit 4, Mockito, Leadership, IBM Websphere, Software AG, Webmethods, SOAP, Splunk, DataPower, XebiaLabs, XLDeploy, XLRelease, REST, DevOps, SoapUI, SQL, AQT, Postman
Skills: Java EE, JUnit 4, Mockito, Leadership, IBM Websphere, Software AG, Webmethods, SOAP, Splunk, DataPower, XebiaLabs, XLDeploy, XLRelease, REST, DevOps, SoapUI, SQL, AQT, Postman
Co-Op at Worldpay from FIS
05/2016 - 08/2016
Led an Agile team to design and create a Caching Web Application through Dynamic Server Pages. The Caching Web Application compared values cached in a server to live data-base values. Enhanced and rectified various incidents on existing Java/Webmethods Webservices.
Skills: Java EE, IBM Websphere, Leadership, Webmethods, SOAP, SoapUI, Server Cache Web App, DSP, SQL, AQT
Skills: Java EE, IBM Websphere, Leadership, Webmethods, SOAP, SoapUI, Server Cache Web App, DSP, SQL, AQT
Co-Op at Worldpay from FIS
08/2015 - 01/2016
Created an API Operation to store tiff images for internal client issue management. Setup a deletion API Operation to clear issues for multiple internal clients. Enhanced and rectified various incidents on existing Java/Webmethods Webservices.
Skills: Software AG, Webmethods, SOAP, SoapUI, SQL, AQT, Bash
Skills: Software AG, Webmethods, SOAP, SoapUI, SQL, AQT, Bash
Co-Op at Worldpay from FIS
01/2015 - 04/2015
Implemented several Bash scripts to track API usage. Created a lightweight Java program to translate a phone-digit-text based input to alphabet characters.
Skills: Software AG, Bash, Static
Skills: Software AG, Bash, Static
Career Path
Security Researcher
2018 - Present
From the start of my Graduate Degree I started investigating security cryptographic misuse in Java Projects. Helping to identify cryptographic issues using the latest code slicing techniques is very exciting. The quickest way to fix a vulnerability is at the source code before it makes it past the developer, and I aim to create the fastest and most efficient ways to do that.
DevOps Engineer
2019 - 2022
I have had several internships with work concentrating on DevOps; both from my Graduate degree at WorldPay From FIS and also at Peraton. I learned how to directly help developers using several tools I picked up throughout my internships as well as various tools throughout my schooling. While I lightly used several different technologies, I utilized Docker the most. I leveraged the Docker framework throughout my personal work to create a self-building and inheritence-based structure, creating different images for my different tasks.
Software Engineer
2015 - Present
The internships I had throughout my Undergraduate Degree starting from 2015 solidifed the Software Engineering skills I still use today. My two mentors taught me both how to create working code using proper etiqutte. They also helped me to manage less than optimal projects and adapt them to our modern development practices.
Groups
Advisor at Graduate Student Council
2022 - 2023
This group represents the interests of the graduate student body at Virginia Tech and assists within any meetings for the department. It also creates events to help enhance the graduate student climate such as fun activities and welcome back meetings.
President at Graduate Student Council
2021 - 2022
This group represents the interests of the graduate student body at Virginia Tech and assists within any meetings for the department. It also creates events to help enhance the graduate student climate such as fun activities and welcome back meetings.
Slack Admin at iMentor
2020 - 2020
From the homepage. iMentor focuses squarely on attracting, mentoring, and career advising early-stage graduate students from underrepresented communities who want to pursue a career in computer security. Being virtually co-located with the ACM Conference on Computer and Communications Security (ACM CCS) 2020, the workshop provides an opportunity for attendees to also participate in the main conference and benefit from it. ACM CCS is a top-tier venue for the quick and wide dissemination of cutting-edge research results in computer and communications security.
Vice President at Graduate Student Council
2020 - 2021
This group represents the interests of the graduate student body at Virginia Tech and assists within any meetings for the department. It also creates events to help enhance the graduate student climate such as fun activities and welcome back meetings. I have set up the GitHub Organization and the website to auto-build using GitHub Actions.
Member at Order of The Engineer
2018 - Present
Upholding Devotion to the Standards and Dignity of the Engineering Profession. This group is a ceremonious group acknowledging members' commitments to uphold high qualities and their duty as an engineer.
Consultations
Demo User at PipeDreams
08/30/2022 - Current
I was recently introduced to the project and have taken to it well. I have attempted to use Zapier before but found it too constricting. I have already made several suggestions for additional app integrations that I would be interested and look forward to using it.
User at Orchest
08/01/2021 - Current
I have been currently using this for several of my data cleaning pipelines. Since I have had to do various processes this helps me visually organize the code flow. When I talked with the CTO many my changes were already being addressed. However with the extra addition of Webhooks, I also needed to create a enhanced transfer library. Shown here is the result of my work, as Orchest currently natively allows only one output to be transferred to other steps. This library allows me to transfer more data between steps.
An Original Member at Mito
01/22/2020 - Current
I believe I was one of the early users of the project and had various meetings with the owners. Many of my contributions made it into the current project. My main idea contributed to the project is the idea of code generation. Since I truely believe in reproducible code, I saw the code generation as a necessity to transfer the steps to other people. This also enables the developers to quickly template dataframe changes using Mito and then copy paste the snippet to a seperate python script.
