Meet Patrick Zielinski, Ph.D. Candidate in Computer Science

Patrick Zielinski is a second-year doctoral candidate in Professor Justin Cappos's Secure Systems Lab. His research focuses on securing the software we all depend on, and he recently earned a Distinguished Paper Award at one of the cybersecurity field's top conferences. We sat down with him to learn about his journey and his work.

What first drew you to computer science?

I went to high school in Franklin Lakes, New Jersey, and took a specialized engineering curriculum. What really hooked me was doing programming for my school's robotics team. There's something incredible about writing code and watching a physical machine bring it to life. That experience made me realize I wanted to pursue computer science seriously.

Did you have any early work experiences that shaped your path?

My school hired me as an IT technician for three summers in a row. It wasn't glamorous research work, but it taught me to appreciate the administrative side of technology. You learn quickly that even the best software doesn't matter if nobody can use it properly or if systems aren't maintained. That perspective continues to influence how I approach my research today.

How did you end up at NYU Tandon?

I did both my bachelor's and master's degrees at Stevens Institute of Technology, finishing my B.S. in 2022 and M.S. in 2023. My advisor there was moving to Spain and suggested I consider a doctoral program overseas. But I wanted to stay in the United States. A lab mate who was doing postdoctoral research at NYU Tandon told me about Professor Cappos's work, and I was immediately drawn to how he tackles real-world problems — not just theoretical exercises, but actual systems that get deployed and used by major companies.

Can you explain your recent award-winning research in simple terms?

Our paper, which won a Distinguished Paper Award at the Network and Distributed System Security Symposium 2025, addresses a vulnerability in how software gets developed. Think of platforms like GitHub as giant libraries where developers store and collaborate on code. The problem is, these platforms are a single point of trust: if an attacker compromises one, they can potentially inject malicious code that spreads everywhere.

Our system, gittuf, decentralizes that trust. Instead of relying on one platform to keep everything safe, gittuf requires multiple developers to cryptographically sign off on changes. Even if hackers break into GitHub itself, they'd need to compromise several developers' personal keys to make unauthorized changes, and even one honest developer using gittuf can detect and reverse any tampering.

Why would this matter to the average person?

Software supply chain attacks have been surging. In 2021, attackers compromised the PHP programming language's official server to insert malicious code, and PHP powers a huge chunk of the internet. Similar attacks have hit Linux distributions and countless open-source projects. When the tools that developers use to build your apps, websites, and even car software get compromised, the effects ripple out to everyone. Our work is about making those foundations more secure.

Is gittuf being used in the real world?

It is! Gittuf is now a sandbox project with the Open Source Security Foundation, hosted by the Linux Foundation. Projects under the OpenSSF and Cloud Native Computing Foundation are already using it, and Bloomberg is currently piloting the system. It's really rewarding to see research move from the lab into actual production environments.

What's next for your research?

My dissertation will focus on law and policy, specifically, how we can make legal documents like statutes and regulations securely accessible online. Right now, if you want to look up the law, you're trusting that whatever website you find has the accurate, authentic text. We need secure, authenticated copies that everyone can access and verify. This becomes especially important when you consider threats from nation-state actors who might want to tamper with official records.

Any advice for students interested in cybersecurity research?

Don't underestimate the value of practical experience, even if it seems mundane. Those summers doing IT work taught me things I still use today. Also, look for research that has real-world impact. There's a lot of important theoretical work in our field, but I find it especially motivating to work on systems that actually get deployed and help protect people.