Johnny So

Johnny So

PhD Candidate

Stony Brook University


I am currently a fourth-year Ph.D. candidate advised by Professor Nick Nikiforakis at the PragSec Lab in Stony Brook University. I investigate (the lack of) web integrity in various contexts (e.g., domain names and JavaScript) through large-scale experiments, and subsequently design and evaluate defenses that improve the integrity of the web.

  • Web Security
  • Distributed Systems
  • Network Security
  • Algorithms
  • PhD in Computer Science, 2020 - Dec 2024 (expected)

    Stony Brook University

  • BSc in Computer Science, 2016 - 2020

    Stony Brook University

  • BSc in Applied Math and Statistics, 2016 - 2020

    Stony Brook University


(Incoming) Software Engineer Intern
May 2024 – Aug 2024 Bellevue, WA
Responsibilities TBD.
Research Assistant
Aug 2020 – Present Stony Brook, New York

Conducting web security research projects that result in flagship conference publications:

  • Designing an application-agnostic link management system that prevents access to external dependencies of websites if such links violate integrity policies
  • Demonstrated that strict integrity verification of scripts cannot protect the web and provided insight for future methods through a large-scale, data-driven analysis (Things Change)
  • Profiled the behavior of bots that monitor Certificate Transparency logs, analyzing how bots of various intentions and origins react to new certificates within seconds (Uninvited Guests)
  • Illustrated the capability of adversaries to potentially affect millions of IP addresses in tens of thousands of autonomous systems by re-registering a few hundred domains (Domains Change)
  • Proposed transparent web authentication mechanisms that leverage deception (Click This, Not That)
Software Engineering Intern
Jun 2023 – Aug 2023 Remote
Designed a policy-based system to detect broken object-level authorization in API traffic
PhD Research Intern
May 2022 – Aug 2022 Remote
Analyzing the integrity of Android applications through dynamic analysis (under submission)
Software Development Engineer Intern
Jun 2019 – Aug 2019 Seattle, Washington
Created an intent recommendation service for Alexa skills using short utterance text data
Software Engineer Intern
Jun 2018 – Dec 2018 Stony Brook, New York
Built the prototype of a new state health exchange platform and established a preprocessing library used to build machine learning models


Quickly discover relevant content by filtering publications.
(2023). The More Things Change, the More They Stay the Same: Integrity of Modern JavaScript. In Proceedings of the ACM Web Conference (WWW), 2023.

PDF Cite Teaser Media Coverage

(2022). Uninvited Guests: Analyzing the Identity and Behavior of Certificate Transparency Bots. In Proceedings of the USENIX Security Symposium (USENIX Security), 2022.

PDF Cite Talk NSA 11th Annual Best Scientific Cybersecurity Paper

(2021). Domains Do Change Their Spots: Quantifying Potential Abuse of Residual Trust. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P), 2022.

PDF Cite Teaser Talk

(2021). Click This, Not That: Extending Web Authentication with Deception. In ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2021.

PDF Cite


WSE 380 Rotation: Technical Foundations of a Startup
WSE 380 Rotation: Honeypots and Intrusion Detection
WSE 380 Rotation: Honeypots and Intrusion Detection
CSE 331: Computer Security Fundamentals
CSE 214: Data Structures


Paper Reviewer

I contributed paper reviews for the following conferences and journals:

  • International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), External Reviewer: 2023
  • IEEE Transactions on Networking (ToN), Paper Reviewer: 2024

Artifact Evaluation Committee

I served on the artifact evaluation committee for the following conferences:



  • josso [at] cs [dot] stonybrook [dot] edu