| |
http://www.risk-technologies.com/home.aspx?pst=bl&pag=1329&BlockID=-718
ASSURANCE AND CERTIFICATION IN SECURE MULTI-PARTY OPEN SOFTWARE AND SERVICES
| Acronym: |
AssureMOSS |
| Start date: |
October 1, 2020 |
| End date: |
September 30, 2023 |
|
|
Description: The Assurance and certification in secure Multi-party Open Software and Services (AssureMOSS) is to produce a coherent set of automated, lightweight techniques that allow software companies to assess, manage, and re-certify the security and privacy risks associated with the fast-paced development and continuous deployment of multi-party open software and services (for which we introduce the MOSS acronym). Ultimately, we aim at supporting the creation of more secure MOSS software.
Continuous, distributed changes rule today's European Digital Single Market as no single company does master its own national, in-house software. Software is mostly assembled from “the internet” and more than half come from Open Source Software repositories (some in Europe, most elsewhere). Security & privacy assurance, verification and process certification techniques designed for large, controlled updates over months or years, must now cope with small, continuous changes in weeks, happening in sub-components and decided by third-party developers one did not even know they existed. AssureMOSS addresses these challenges to the fullest extent: «Open Source Software - Designed Everywhere, Secured in Europe». AssureMOSS proposes to switch from process-based to an artefact-based security evaluation by supporting all phases of the continuous software lifecycle (Design, Develop, Deploy, Evaluate and back) their artefacts (Models, Source code, Container images, Services). The key idea is to support mechanisms for lightweight and scalable screenings applicable automatically to the entire population of software components by:
- Machine intelligent identification of security issues across artifacts,
- Sound analysis and verification of changes by tracing the security and privacy side effects
- Business insight by risk analysis and security evaluation.
This approach supports the fast-paced development of better software by a new notion: continuous (re)certification. The project will generate not only a set of innovative methods and open-source tools but also benchmark datasets with thousands of vulnerabilities and code that can be used by other researchers. |
|
R-Tech Specific Role:
Steinbeis EU-VRi will define, develop and implement an indicator-based methodology in the ResilienceTool to support continuous risk and resilience assessment of Multi-party Open Software and Services (MOSS) within the DevOps cycle. In collaboration with the project partners, EU-VRi leads the tasks of developing operational and system-level risk indicators for assessing security and resilience of software systems from the design (architectural) phase, code-level (build) phase, to run-time (deployment) phase supporting CI/CD. |
|
Partners’ name/links: University of Trento, SAP SE, TU Hamburg, Ernst & Young Advisory, TU Delft, THALES, University of Vienna, Pluribus One, FrontEndART Kft, Search-Lab, Vrije Universiteit Amsterdam |
| |