Periodic Reporting for period 2 - AssureMOSS (Assurance and certification in secure Multi-party Open Software and Services.)
Periodo di rendicontazione: 2022-01-01 al 2023-09-30
In response to the dynamic European Digital Single Market, AssureMOSS emerged as a comprehensive solution, addressing challenges driven by widespread Open Source Software (OSS) use. Key challenges included continuous software changes, diverse sourcing from OSS repositories, and adapting security and privacy assurance to small, continuous updates.
AssureMOSS adopted an innovative approach:
- Shifts from process-based to artifact-based security evaluation.
- Supports all phases of the continuous software lifecycle, offering lightweight and scalable screenings for the entire software component population.
Objectives are defined across multiple work packages:
1. Supports MOSS-based development projects (WP3, WP5) through innovative security audits.
2. Aids continuous integration and deployment projects (WP2, WP4-5) with lightweight techniques for ongoing security assurance.
3. Develops a tool flow (WP2-6) integrating and validating security techniques for continuous (re)certification.
4. Enables the valorization of results (WP7), ensuring effective utilization and recognition.
The significance of AssureMOSS lied in:
- Recognizing the growing use of Free and Open-Source Software (FOSS).
- Acknowledging potential disruptive consequences of vulnerabilities in open-source building blocks.
- Positioning AssureMOSS as a critical player in mitigating risks associated with OSS vulnerabilities, with substantial societal impact.
AssureMOSS adopted an innovative approach:
- Shifts from process-based to artifact-based security evaluation.
- Supports all phases of the continuous software lifecycle, offering lightweight and scalable screenings for the entire software component population.
Objectives are defined across multiple work packages:
1. Supports MOSS-based development projects (WP3, WP5) through innovative security audits.
2. Aids continuous integration and deployment projects (WP2, WP4-5) with lightweight techniques for ongoing security assurance.
3. Develops a tool flow (WP2-6) integrating and validating security techniques for continuous (re)certification.
4. Enables the valorization of results (WP7), ensuring effective utilization and recognition.
The significance of AssureMOSS lied in:
- Recognizing the growing use of Free and Open-Source Software (FOSS).
- Acknowledging potential disruptive consequences of vulnerabilities in open-source building blocks.
- Positioning AssureMOSS as a critical player in mitigating risks associated with OSS vulnerabilities, with substantial societal impact.
WP1: Project Management
Defined and implemented administrative, financial, technical, and quality management processes.
Utilized Earned Value principles for resource monitoring.
Organized the GenderMag Workshop at Month 12.
WP2: Design Model Extraction and Security Metrics
Defined detectors for design models in open-source microservice applications.
Published results in D2.1 and a paper on automatic Data Flow Diagrams (DFDs) extraction.
Released a dataset of manually created DFDs to the research community.
Proposed microservice security metrics and developed a technique for automatic security rule checks.
WP3: ML-Based Source Code Security Analysis
Proposed and evaluated ML-based source code representation methods for security analysis.
Designed, implemented, and released an open-source framework for security bug corrections.
Conducted a rigorous evaluation of state-of-the-art ML explainability methods.
Introduced the Technical Leverage metric and studied software supply chain security risks and mitigations.
WP4: Testing and Validation Platform
Set up a Kubernetes-based platform for testing and validating project activities.
Developed stress test and dynamic analysis methodologies.
Produced and evaluated security assessment methodologies in microservices, particularly focusing on Kubernetes.
Presented a runtime learning prototype for state machine models from MOSS component logs.
WP5: Risk and Resilience Assessment Tools
Defined indicators for risk and resilience assessment in the ResilienceTool.
Defined the AssureMOSS scheme for lightweight delta-certification used by the DeltAICert Tool.
Aimed to reduce efforts for security evaluators through delta evaluation and automation concepts.
WP6: Integrated Toolflow and Repository Mining Toolkit
Defined the AssureMOSS integrated toolflow evaluation and demonstration plan.
Developed Prospector, a repository mining toolkit, for automating vulnerability fixes dataset creation.
Implemented and validated three industrial pilots, reporting results through KPIs.
Prepared and published guidelines for risk management and software certification.
WP7: Dissemination, Communication, and Stakeholder Engagement
Created a project website and established social media accounts on Twitter and LinkedIn.
Defined the Dissemination and Communication Plan and Report, Innovation Management Plan, and Exploitation Plan Strategy.
Provided recommendations for cybersecurity certification and policy-making.
Presented a Final Report on Stakeholders’ Engagement and Liaising with other EC initiatives.
WP8: Ethical Deliverables
Drafted Ethical Deliverables (D8.1 D8.2 D8.3) as per the EC request and submitted them.
Defined and implemented administrative, financial, technical, and quality management processes.
Utilized Earned Value principles for resource monitoring.
Organized the GenderMag Workshop at Month 12.
WP2: Design Model Extraction and Security Metrics
Defined detectors for design models in open-source microservice applications.
Published results in D2.1 and a paper on automatic Data Flow Diagrams (DFDs) extraction.
Released a dataset of manually created DFDs to the research community.
Proposed microservice security metrics and developed a technique for automatic security rule checks.
WP3: ML-Based Source Code Security Analysis
Proposed and evaluated ML-based source code representation methods for security analysis.
Designed, implemented, and released an open-source framework for security bug corrections.
Conducted a rigorous evaluation of state-of-the-art ML explainability methods.
Introduced the Technical Leverage metric and studied software supply chain security risks and mitigations.
WP4: Testing and Validation Platform
Set up a Kubernetes-based platform for testing and validating project activities.
Developed stress test and dynamic analysis methodologies.
Produced and evaluated security assessment methodologies in microservices, particularly focusing on Kubernetes.
Presented a runtime learning prototype for state machine models from MOSS component logs.
WP5: Risk and Resilience Assessment Tools
Defined indicators for risk and resilience assessment in the ResilienceTool.
Defined the AssureMOSS scheme for lightweight delta-certification used by the DeltAICert Tool.
Aimed to reduce efforts for security evaluators through delta evaluation and automation concepts.
WP6: Integrated Toolflow and Repository Mining Toolkit
Defined the AssureMOSS integrated toolflow evaluation and demonstration plan.
Developed Prospector, a repository mining toolkit, for automating vulnerability fixes dataset creation.
Implemented and validated three industrial pilots, reporting results through KPIs.
Prepared and published guidelines for risk management and software certification.
WP7: Dissemination, Communication, and Stakeholder Engagement
Created a project website and established social media accounts on Twitter and LinkedIn.
Defined the Dissemination and Communication Plan and Report, Innovation Management Plan, and Exploitation Plan Strategy.
Provided recommendations for cybersecurity certification and policy-making.
Presented a Final Report on Stakeholders’ Engagement and Liaising with other EC initiatives.
WP8: Ethical Deliverables
Drafted Ethical Deliverables (D8.1 D8.2 D8.3) as per the EC request and submitted them.
WP2: Architectural Design Information for Security Validation in Microservices
Developed a security validation approach focusing on microservice applications using architectural design information extracted from code.
Created techniques for extracting security-aware design models from code.
Emphasized security assessment through design-level metrics, a security analysis framework, and a conformance analysis technique.
Strengthened security measures and provided a comprehensive evaluation of microservice architectural designs.
WP3: ML-Based Source Code Representation and Analysis
Produced ML models with rich source code representations that go beyond pure syntax, incorporating essential information about control-flow and data-flow.
Emphasized the explainability of predictions produced by ML models.
Validated models and techniques rigorously on real-world open-source projects, contributing to the broad adoption of automated code analysis in the open-source community.
WP4: Microservice Security Enhancement and Mitigation
Developed stress-test and dynamic analysis techniques for microservice deployments, offering pre-deployment analysis and runtime-based detection and mitigation.
Produced a prototype for model reconstruction and methodologies for security assessment in the context of Kubernetes.
Introduced prototypes for mitigating vulnerabilities and threats in MOSS and microservice applications at static and dynamic phases.
WP5: Continuous Risk Assessment and Security Certification Tools
Implemented the ResilienceTool and DeltAICert Tool for continuous risk assessment and security certification in MOSS projects.
Contributed to establishing labeled trust relationships between third parties and improving the traceability of security issues.
Successfully validated the tools through expert assessments, enhancing open-source software security.
WP6: Industrial Pilots and Repository Mining Toolkit
Conducted three industrial pilots showcasing the project's results and impact on developing tools beyond the state of the art.
Developed the repository mining toolkit, Prospector, facilitating maintenance and automatic certification throughout the software development cycles of MOSS projects.
Validated industrial pilots using KPIs aligned with market drivers, ensuring practical impact and relevance.
WP7: Dissemination, Exploitation, and Innovation Management
Provided a well-defined strategy for dissemination, exploitation, and innovation management tailored to the project's goals.
Produced clear guidelines and approaches for partners to disseminate and exploit knowledge.
Enhanced visibility and accessibility of project results through organized events.
Increased awareness and utilization of project outcomes by relevant stakeholders.
Developed a business plan contributing to the long-term sustainability of the AssureMOSS solution beyond the project duration.
Developed a security validation approach focusing on microservice applications using architectural design information extracted from code.
Created techniques for extracting security-aware design models from code.
Emphasized security assessment through design-level metrics, a security analysis framework, and a conformance analysis technique.
Strengthened security measures and provided a comprehensive evaluation of microservice architectural designs.
WP3: ML-Based Source Code Representation and Analysis
Produced ML models with rich source code representations that go beyond pure syntax, incorporating essential information about control-flow and data-flow.
Emphasized the explainability of predictions produced by ML models.
Validated models and techniques rigorously on real-world open-source projects, contributing to the broad adoption of automated code analysis in the open-source community.
WP4: Microservice Security Enhancement and Mitigation
Developed stress-test and dynamic analysis techniques for microservice deployments, offering pre-deployment analysis and runtime-based detection and mitigation.
Produced a prototype for model reconstruction and methodologies for security assessment in the context of Kubernetes.
Introduced prototypes for mitigating vulnerabilities and threats in MOSS and microservice applications at static and dynamic phases.
WP5: Continuous Risk Assessment and Security Certification Tools
Implemented the ResilienceTool and DeltAICert Tool for continuous risk assessment and security certification in MOSS projects.
Contributed to establishing labeled trust relationships between third parties and improving the traceability of security issues.
Successfully validated the tools through expert assessments, enhancing open-source software security.
WP6: Industrial Pilots and Repository Mining Toolkit
Conducted three industrial pilots showcasing the project's results and impact on developing tools beyond the state of the art.
Developed the repository mining toolkit, Prospector, facilitating maintenance and automatic certification throughout the software development cycles of MOSS projects.
Validated industrial pilots using KPIs aligned with market drivers, ensuring practical impact and relevance.
WP7: Dissemination, Exploitation, and Innovation Management
Provided a well-defined strategy for dissemination, exploitation, and innovation management tailored to the project's goals.
Produced clear guidelines and approaches for partners to disseminate and exploit knowledge.
Enhanced visibility and accessibility of project results through organized events.
Increased awareness and utilization of project outcomes by relevant stakeholders.
Developed a business plan contributing to the long-term sustainability of the AssureMOSS solution beyond the project duration.