Project description
A new way to certify open source software
Europe depends on open source software (OSS) that is mostly designed abroad. In particular, the European Digital Single Market lacks an in-house software, with data showing that most is assembled online and more than half is derived from OSS, mainly from outside Europe. Universities, small, medium- and large-sized enterprises, a specialised interest group and an advisory board with key OSS and industry profiles have teamed up to create new methods and approaches to accelerate the development of better software. The EU-funded AssureMOSS project will address the challenge of OSS designed in any location, but secured in Europe. Specifically, it proposes to make the shift from process-based to artefact-based security evaluation, by supporting all phases of the continuous software life-cycle (design, develop, deploy, evaluate and back up).
Objective
Continuous, distributed changes rule today's European Digital Single Market as no single company does master its own national, in-house software. Software is mostly assembled from “the internet” and more than half come from Open Source Software repositories (some in Europe, most elsewhere). Security & privacy assurance, verification and process certification techniques designed for large, controlled updates over months or years, must now cope with small, continuous changes in weeks, happening in sub-components and decided by third party developers one did not even know they existed.
AssureMOSS addresses these challenges to the fullest extent: « Open Source Software - Designed Everywhere, Secured in Europe ».
AssureMOSS proposes to switch from process-based to an artefact-based security evaluation by supporting all phases of the continuous software lifecycle (Design, Develop, Deploy, Evaluate and back) their artefacts (Models, Source code, Container images, Services). The key idea is to support mechanisms for lightweigth and scalable screenings applicable automatically to the entire population of software components by
- Machine intelligent identification of security issues across artifacts,
- Sound analysis and verification of changes by tracing the security and privay side effects,
- Business insight by risk analysis and security evaluation.
This approach supports fast-paced development of better software by a new notion: continuous (re)certification.
AssureMOSS has assembled a team including 5 leading Universities (Delft, Gotheborg, Trento, Vienna, VU Amsterdam), 3 innovative SMEs (FrontEndART, Search-Lab, Pluribus One), 3 Large Enterprises (E&Y, SAP, Thales) and 1 Special Interest Group Organization (EU-VRi) and an Advisory Board with key figures from OSS and industry at large.
The project will generate not only a set of innovative methods and open source tools but also benchmark datasets with thousands of vulnerabilities and code that can be used by other researchers.
Fields of science
Keywords
Programme(s)
Funding Scheme
RIA - Research and Innovation actionCoordinator
38122 Trento
Italy