Office of Undergraduate Research

Samuel Fertig '21

OUR Featured Researcher: Samuel Fertig '21

Portrait of Sam Fertig.
Photo credit: Tanya Rosen-Jones

Samuel Fertig (he/him) is a Computer Science major conducting mentored research under Professor Cynthia Taylor. His project is titled “Security Advice on StackOverflow: Is SO SQL-safe?". 

Please describe your project: 

Our research is about finding whether questions posted on a forum for developers called Stackoverflow are not vulnerable to a security vulnerability known as SQL injection and also whether the advice given by other people in response to these questions fixes those security flaws.

Why is your research important?

Our research affects not only those who use StackOverflow, but all users of the internet.
SQL injection is incredibly widespread and puts your personal information at risk, whether you’re a security researcher, an online shopper, or a social media user. Hopefully, we can limit the amount of vulnerable code written into the applications we all use.

What does the process of doing your research look like?

Most of our research included just running a script that pulled up StackOverflow pages and we manually analyzed it to decide whether or not it was SQL injectable and recording that data. After that was done we trained machine learning models so that they could be able to tell whether or not posts on the website are SQL injectable and then warn people without the need for humans to manually do it. Right now we are coding a system that would be able to use the machine learning models to inform users when a post is SQL injectable and also educate them on the best ways of fixing those vulnerabilities.

What are your findings so far?

We went into the research knowing that SQL injection is widespread, but we were blown
away by the security advice on StackOverflow when it comes to vulnerable code. There is
virtually none. A huge proportion of posts on StackOverflow containing SQL code are
vulnerable to injection, and very, very few answers to those posts ever point out security flaws.

In what ways have you showcased your research?

We are planning on submitting our research paper to the 2022 USENIX Security
Symposium, a computer science security conference. Additionally, our fellow collaborator, Rob Klock, worked on this research for his Honors project and gave a very good thesis presentation on the topic.

How did you get involved in research?
Being a computer science student can feel frustrating because you’re taught practical
skills in order to build and design things, but it’s often difficult to actually put these skills to use outside of the classroom (due to time constraints, self-esteem, resources, etc.). I wanted to be involved in something where I could put my skills to use that wouldn’t just be turned in as a lab assignment. Research gave me that opportunity.

What is your favorite part about engaging in this work?

I love how encouraging our advisor is. When we have a tangential idea we want to
explore, our advisor, Professor Taylor, supports us however she can. Sometimes these side quests result in something important, and sometimes they just sort of die out. It’s encouraging to do work when you can truly, freely explore your interests without fear of judgement. How has working with your mentor impacted the development of your research project? Nothing would be possible without our mentor, Professor Taylor. It is first and foremost her research project, so its development is ultimately up to her. However, she gives us a lot of freedom to pursue things we think are relevant, so she has allowed us to pursue tangents that have proved beneficial to the research, and she has always guided us through tough spots and provided us with resources when we’ve needed them.

How has it impacted you as a researcher? 

It has shown me how possible research is. Research can often seem overwhelming,
maybe even reserved for elite academics that pursue topics deep outside one’s scope of
understanding. By way of Professor Taylor’s organization and guidance, however, I’ve learned to outline the steps crucial to the development of a research project and to step back and see how an idea can be turned into a coherent, informative project.

How has the research you’ve conducted contributed to your professional or academic development? 

This research project was definitely my main selling point during job interviews, and it
helped me land a job, so in that sense it contributed greatly to my professional development. Academically, I was able to further my research by drawing on things I learned in classes, and I was able to better understand certain concepts in my classes because of what I learned from my research.

What advice would you give to a younger student wanting to get involved in research in your field?

Computer science is a massive field. Don’t let yourself become intimidated by what you
think computer science research looks like. It can involve heavy programming, it can be a sociological study, it can be a theoretical, philosophical investigation, it can be user-oriented, etc. There’s no limit to topics—go ask the questions you’re interested in. Don’t be afraid to reach out to professors who are in fields that interest you. They might
be able to help you figure out a path to start digging and doing research on stuff that you are genuinely curious about. You don’t have to have all the skills as you can pick up the necessary skills on the way. It’s a process of learning and then using the new knowledge to solve the problems at hand.