AssureMOSS

The Assurance and certification in secure Multi-party Open Software and Services (AssureMOSS) is to produce a coherent set of automated, lightweight techniques that allow software companies to assess, manage, and re-certify the security and privacy risks associated with the fast-paced development and continuous deployment of multi-party open software and services (for which we introduce the MOSS acronym). Ultimately, we aim to support the creation of more secure MOSS software.

Continuous, distributed changes rule today's European Digital Single Market as no single company does master its own national, in-house software. Software is mostly assembled from “the internet”, and more than half come from Open Source Software repositories (some in Europe, most elsewhere). Security & privacy assurance, verification and process certification techniques designed for large, controlled updates over months or years must now cope with small, continuous changes in weeks, happening in sub-components and decided by third-party developers one did not even know existed. AssureMOSS addresses these challenges to the fullest extent: «Open Source Software - Designed Everywhere, Secured in Europe». AssureMOSS proposes to switch from a process-based to an artefact-based security evaluation by supporting all phases of the continuous software lifecycle (Design, Develop, Deploy, Evaluate and back) their artefacts (Models, Source code, Container images, Services). The key idea is to support mechanisms for lightweigth and scalable screenings applicable automatically to the entire population of software components by

• Machine intelligent identification of security issues across artifacts,
• Sound analysis and verification of changes by tracing the security and privacy side effects
• Business insight by risk analysis and security evaluation.

This approach supports the fast-paced development of better software with a new notion: continuous (re)certification. The project will generate not only a set of innovative methods and open-source tools but also benchmark datasets with thousands of vulnerabilities and code that can be used by other researchers.

Reason for applying to HSbooster.eu services

In the AssureMOSS project, we aim to improve the security of MOSS (Multi-party Open Software and Services), which faces challenges of increasing complexity, high-frequency update cycles and high costs of evaluation. In this quest, we created a methodology to evaluate and certify MOSS projects regularly to improve and maintain a higher level of security in those projects. We aim to make the methodology and tools related to this effort open source for the benefit of the open projects. By making the AssureMOSS scheme an open standard, adaption of the certification scheme would accelerate, and overall security of MOSS projects would also benefit.

Main Standardisation Interests

In AssureMOSS we concentrate on the domain of MOSS, where constant recertification caused by the rapid release cycles of a product would cause extreme overhead in the budget and for developers as well if they need to maintain a documentation suitable for security evaluation. The AssureMOSS scheme would fill a void in the cloud- and microservices domain by employing the concept of delta evaluation in a lightweight certification scheme. Building on the capabilities of the AssureMOSS tools and implementing the methodology of the hereby presented AssureMOSS scheme, we will build on the DeltAICert tool, which will be able to help the work of security evaluators by automating the security evaluation and certification process via delta evaluation, which concentrates the evaluation effort on the changes between the certified and new version of the target of evaluation (ToE).