Michael Hicks on Building Safer Software and a Better Practices in Cybersecurity

When Michael Hicks, the Cecilia Fitler Moore Professor in Computer and Information Science, Director of the Schlein Center for Cybersecurity and a Penn alum, first encountered an Apple II computer in primary school, he didn’t know it would lead to a lifelong fascination with how to program software and how to make it work better. 

As a high school student in San Diego, Hicks was good at math but also enjoyed creating things: He ended up spending more time drawing comics than debugging code. 

“I got into the comic convention scene and loved it,” he recalls. “I thought that might be what I would do, become a professional comic artist.” But his practical side eventually won out. “When it came time to choose a career path, I turned to engineering.”

His first stop was architectural engineering until he realized he didn’t care much for designing buildings. However, a required computer programming class rekindled his early love of coding. Shortly after, Hicks switched majors, started coding seriously, and ultimately settled on the career path of computer science. But just as he was getting ready to graduate with his bachelor’s degree, he found himself at another crossroads. 

“My professor asked me what I planned to do. I said, ‘Get a job,’ and he said, ‘You should apply for grad school.’ I had never considered continuing school, but I took his advice, completed the GREs, and after two years working in industry, returned to student life. Six years of grad school helped me realize that academia was a perfect environment that would allow me to explore my creativity in a meaningful way. That one conversation changed everything.”

An Academic Fit

Hicks came to the University of Pennsylvania in 1995 to pursue his Ph.D. His thesis focused on dynamic software updating technology, which enables software to be updated while it’s still running. The innovation aimed to save companies enormous amounts of time and cost by avoiding service interruptions when patching critical security bugs and adding important features. Hicks’ thesis won the ACM Special Interest Group in Programming Languages (SIGPLAN) Doctoral Dissertation award and launched him into his academic career. After graduating, he joined Cornell as a postdoctoral researcher and later the University of Maryland as a professor, founding his own lab.

Over the next 20 years, Hicks mentored more than 20 Ph.D. students and continued to push the boundaries of what was possible in reliable and secure computing. 

From Safer Code to Safer Languages

While a postdoctoral researcher and continuing at the University of Maryland in the early 2000s, Hicks and his collaborators confronted a deep problem: the most commonly used programming languages at that time, C and C++, contained inherent weaknesses that made their programs vulnerable to memory corruption attacks. 

“Memory corruption vulnerabilities let attackers inject malicious code into programs,” he explains. “You can visit a website an attacker has set up to exploit a vulnerability, and as a result your browser might start executing the attacker’s code on your computer.”

In response, Hicks and collaborators developed Cyclone, a language designed to eliminate those vulnerabilities while preserving the power, performance and flexibility of C. Though adoption was limited, the work left a lasting mark. Years later, the developers of Rust — a language now lauded for its safety features — drew inspiration directly from Cyclone.

“This is what academic research is about,” says Hicks. “Even if your idea doesn’t become the one the world uses directly, it can become the backbone for future innovation. It was inspiring to see other people build upon original ideas implemented in Cyclone and take them many steps further, integrating them with ideas from other places to address programmers’ needs, and to help address other challenges to ensure programs’ security and reliability.”

A Turn Toward Cybersecurity

As computing expanded into the cloud in the 2010s, Hicks turned his attention to addressing the real concern of sharing sensitive data in the cloud, still very much an unknown black box of processes and information at the time. Collaborating with cryptographers and security experts, he helped pioneer cryptographic approaches for “confidential computing.” Around that time, he also became Director of the University of Maryland’s cybersecurity center, and helped develop new curricula and online programs to train the next generation of security-minded systems and software engineers.

It was in this role that Hicks started exploring “fuzzing,” a technique for automatically discovering software vulnerabilities through randomized testing. But when he and a high school student intern in his lab tried to work with state-of-the-art fuzzers in 2017, they discovered an unsettling issue, not with the code, but with the science itself.

“We couldn’t reproduce other researchers’ results,” says Hicks. “After toiling about for a while, we finally realized it wasn’t our fuzzing setup that was broken, it was that the evaluation process across the community did not ensure reliable, reproducible results.” 

Their breakthrough paper revealed that many studies on fuzzing failed to employ scientific best practices, instead leaning on inconsistent or cherry-picked data. Experiments in the paper showed this was leading to unreliable conclusions. 

Reframing the Field at Penn

That moment reshaped Hicks’ thinking about academic research. “It made me ask: what are we really doing this for? If your work doesn’t produce a firm foundation to build on, leading toward something useful for society, then what’s the point?”

Hicks left the University of Maryland in 2021, and after a four-year stint at Amazon Web Services, he returned to Penn in 2025, eager to reimagine how his work could serve the broader world.

Today, as Director of the Schlein Center for Cybersecurity at Penn Engineering and co-director of the new Master of Science and Engineering in Software Systems and Cybersecurity, Hicks brings that ethos into both his research and teaching. His graduate course, CIS 7000: Secure System Engineering and Management: A Data-Driven Approach, challenges students to connect technical work to human outcomes. 

Hicks starts his cybersecurity class with a simple question: Is the world’s cybersecurity safer now than it was ten years ago? 

“Students start debating the efficacy of various mechanisms for cybersecurity, but I stop them and ask, ‘how would you measure that?’ What evidence would you collect?” he says. “Once you think that way, you start to see that improving cybersecurity isn’t just about better code, it’s about better science, and ultimately, better lives for people.”

Hicks is reaching across disciplines, exploring collaborations with social scientists, lawyers, policy experts and national security scholars. His classroom has become a lively laboratory of ideas with students debating, asking and connecting on the topics of cybersecurity and what it means to everyday life. Hicks encourages these conversations and tells his students to “communicate clearly and fail fast.” 

For Hicks, this philosophy of experimentation, iteration and creativity is what ties together the art and science of computing innovation. 

“Being back at Penn feels like coming full circle,” he says. “I started out looking at how to make software and its security better. Now I’m thinking about how to make the science of software security better. Doing so will boost the quality of not just my work but that of many others and, I hope, make a real difference in people’s lives.”

Learn more about Hicks’ research on his website and the Master of Science and Engineering in Software Systems and Cybersecurity here.