Skip to main content

Vulnerability Search and Prevention through Holistic End-to-end Risk Evaluation

Article Category

Article available in the folowing languages:

Tool for cybersecurity

An EU team has enabled the design of genuinely secure computer systems.

Digital Economy

Much of modern life depends on the supposed security of large computer systems such as those used in government, banking, e-commerce, and the power grid. Yet all these systems and their applications are insecure and therefore vulnerable to attack. The EU-funded V-SPHERE project developed a software tool that enables the design of genuinely secure computer systems. The tool, named PROSA, supports the crucial initial phases of system specification and design. PROSA does so by enabling security-by-design. In practice this means helping programmers and architects create system models, simplifying documentation of system design and implementation and, at the same time, performing a comprehensive and trustworthy threat analysis. Market analysis During phase one, V-SPHERE began an analysis of the market and buyer attitudes to external consultants. The study was intended to help define the next software version. Results indicated a European market for PROSA of over 1 800 potential customers. The analysis also showed that PROSA’s few competitors mostly conduct vulnerability analyses after systems have been built, and only based on well-known attacks. Some competitors monitor network traffic for anomalous behaviour or scan the source code for vulnerabilities. “None of our competitors support design and implementation activities the way PROSA does,” explains V-SPHERE project leader Dr Anders Hagalisletto. The team also learned that technical personnel in customer businesses are key to, and effectively make, purchasing decisions. The study concluded that sales efforts should target those individuals directly. New partners V-SPHERE researchers sought potential collaborators able to support commercial activities such as distribution, and those with certified expertise able to improve operational performance. Related efforts identified two suitable organisations. The team also reconsidered its model of distribution via commercial partners, and the benefits of offering PROSA as a solution. Project partners concluded that direct selling is more important than indirect, and that a distribution model involving direct sales should remain in place. The direct mode more effectively helps improve the product in conjunction with facilitating discussion about customer needs. A rewrite of the software development plan focused on PROSA extensions and improvements that meet the needs of today's security experts. “That detail is not public information,” says Dr Hagalisletto, “however, we intend to improve the editor, plus the security requirements and threat analysis modules.” The revised modules will be better able to detect various potential attacks. Based on recent experience with Norwegian digital security companies, V-SPHERE researchers also made the business plan more realistic. The project team learned from its mentors (the EU and Inspiralia) that PROSA Security should own all intellectual property rights to its tools and methods, which was not the case when the project started. As a result of negotiations with the University of Oslo, all intellectual property rights have been transferred to PROSA Security. Certain issues set back project activities so, although its official term under EU funding has come to a close, PROSA Security is looking to continue with a second phase of work. In the near future, the company will expand its Norwegian market by establishing contact with BankID, the major authentication provider for all Norwegian banking. Over the coming two years, the team will focus on building robust business relationships with the large national enterprises such as BankID and Buypass, and with American security companies, including AllClearID. Such relationships will help improve the PROSA tool and cybersecurity for customers.


V-SPHERE, PROSA, security, computer systems, software, cybersecurity, security-by-design

Discover other articles in the same domain of application