Building better, more secure software
How can you be sure the software on your computer is secure? Improving software security is at the heart of the SHIELDS ('Detecting known security vulnerabilities from within design and development tools') project, which received EUR 3.25 million under the 'Information and communication technologies' Theme of the EU's Seventh Framework Programme (FP7). The project, which officially ends in June, has helped tackle the software security challenge. Even today, with the rapid pace that technology progresses, software systems continue to be hampered by security vulnerabilities. In fact, progress has much to do with the problem itself. For instance, rates of failure have increased with the need to protect mounting volumes of critical information and systems (known as 'software controlling'). Also, as software has advanced and become more complex, so have the flaws. Finally, with software-intensive systems increasingly seen as economic and political targets for well-resourced attackers, the threats to these systems have likewise escalated. Trusting firewalls and anti-virus applications to protect software is no longer sustainable, with experts increasingly pointing out the need for security to be built as a fundamental part of the software itself. At the industry level, the SHIELDS team believes that some of these problems persist because information on known vulnerabilities are not made available to software developers or integrated into the tools they use to build software. Typically, vulnerability databases that may be accessed by developers contain only general information on the problems, and on risk assessment, solutions and tools (normally written, in any case, with users and not developers in mind). The lack of information for developers means a lack of support for finding and removing security vulnerabilities. Since the SHIELDS project was launched in 2008, the team's approach has been to focus on the knowledge and communication gap that exists between security experts and software practitioners. By providing software developers with important information from sections of the industry, the aim for SHIELDS has been to prevent known security vulnerabilities from being inadvertently written into new software. New tools would make it easier and faster for security experts to deliver the information on security vulnerabilities, which would, in turn, help developers avoid, detect and remove them. The solution for SHIELDS was to develop a shared repository of security information for all kinds of software security tools and methods named Security Vulnerability Repository Service (SVRS). The SVRS is the central element of SHIELDS services. Its main purpose is serving as an intermediary between security experts and software developers. It stores and manages complex interconnected security knowledge. In addition the team has designed two certification programmes for the industry: SHIELDS Compliant, and SHIELDS Verified. SHIELDS Compliant is for tools that are compatible with SVRS, and SHIELDS Verified is used for certifying that software has been checked for security vulnerabilities during the development process. The SHIELDS project has successfully undergone several reviews, where the SHIELDS approach and model-based testing tools were demonstrated. Case studies have shown a reduction in software security problems and that the tools are appropriate for both security experts and software developers. Almost all eight evaluators involved rated the SHIELDS tools as quite high in detecting security vulnerabilities. Over the course of the 30-month project, work undertaken by the team has also created tools that are in synch with new technologies, and provided better information for software developers and buyers. These tools allow testing (Flinder by SEARCH-LAB, TEG by Montimage and Institut TELECOM), monitoring (TIC and TIPS by Montimage and Institut TELECOM), editing models (GOAT by LiU, SeaMonster by SINTEF) and performing inspections (DEFECT by Fraunhofer). The SHIELDS consortium includes Institut TELECOM/TELECOM SudParis (France), Montimage EURL (France), Fraunhofer IESE (Germany), SEARCH-LAB Ltd (Hungary), TXT e-solutions SPA (Italy), SINTEF (Norway), European Software Institute (Spain), and Linköpings Universitet (Sweden).