Europe is largely dependent on software open-source mainly designed overseas. Within the European Digital Single Market, most software is assembled online and more than half comes from software (repositories) open-source made across the border.
Some universities, small, medium and large enterprises, a specialized interest group and an advisory board with key competences in the field of software open-source, have come together in a strategic partnership to create new methods and approaches to accelerate the development of more efficient and secure software.
In this article we will briefly see the attempt of the AssureMOSS project (Assurance and certification in secure Multi-party Open Software and Services - https://assuremoss.eu) to face the software challenge open-source “Designed everywhere, but guaranteed in Europe”. The three-year project (October 2020 - September 2023) is funded by the European Commission under the HORIZON 2020 program [1].
The rush to assembled software and the MOSS paradigm
In the last decade, among the many innovations, two main characteristics in particular have radically changed and conditioned software development projects [2]. First, the shortening of the feedback loop between development teams and the response to the products these teams release (e.g., A / B testing, DevOps) has led to frantic development with faster product changes. Secondly, developers have increasingly focused on differentiating features in their end products, but increasingly relying on third parties for everything else (cloud implementation, extensive use of open frameworks such as OpenSSL [3] or Node .js [4], or use of more restricted products but with protocols, procedures, libraries and APIs [5] anyway open-source). All this has led to a development that involves different parties (called multi-stakeholder, from English: multi-interested party): the result is an assembly operated by different actors, each with their own security and privacy practices / policies.
We can already introduce an acronym here that we will use in the rest of the article. Modern software is based on a paradigm called Multi-party Open Software and Services (MOSS). Therefore, a software company that develops a product represents only one of the protagonists involved in the process of guaranteeing the software security on that same product.
These parties involved include the OS development communities, for example, in creating security updates, or companies that provide new security services or updates to existing interfaces. The MOSS paradigm certainly applies to the case of larger companies, while smaller companies, such as SMEs and start-ups, may have a shorter supply chain that is mainly based on free and open source software (FOSS - Free and Open Source Software).
The latter is the backbone of the software industry: almost 80% of commercial products today contain at least one FOSS component to the point that the European Parliament has formally recognized its key role. It is also interesting to note the progressive trend to reduce the portion of code produced internally by software development companies. In the late 90s, over 95% of the software stack consisted of self-developed code. Only the Databases and Operating Systems came from licensed closed-source vendors. Observing the current trend, it can be seen that in 2019, on the other hand, the portion of code produced internally has drastically decreased to represent only 5% of the pie: browsers, UI frameworks, package managers, application servers, microservice platforms, containers, systems operating containerized, they are all generally third-party software components (mostly open-source) that software companies use on a daily basis [6-7-8].
Software certification and recertification
This evolution of the software development process in rapid and fragmented cycles would imply as many processes / cycles of certification and guarantee of software security due to the numerous changes that have consequences on security and privacy (a new vulnerability could for example be introduced by the use of a new library capable of accessing personal data and possibly transmitting them). Therefore, the new paradigm for guaranteeing security should be "light and continuous" compared to the previous "rigid and fixed" paradigm. We should therefore not speak of certification but rather of certification, recertification and risk assessment.
The fact that software development is, in fact, a multi-stakeholder activity (where some stakeholders are hidden in sub-sub-dependencies on third-party libraries) means that assurance techniques should work in a fragmented ecosystem with multiple sources of artifacts (e.g. from the community open-source), different technologies and languages and different decision domains. As a result, a new paradigm for security assurance involves a "smart and flexible" approach - one that is able to learn, adapt and improve over time with the availability of new data and additional feedback.
Unless innovative, lightweight and intelligent security assurance techniques are created that can integrate with multiple stakeholders and fast-paced developers, security will continue to be penalized [9] by the productivity race of development teams. urged to roll out new features on a daily basis.
Fast, multi-stakeholder development also poses a challenge to secure software certification. Existing security certification schemes, including those for projects open-source, such as Core Infrastructure Initiative (CII) Badge Program [10], focus on certifying that software projects follow certain security best practices. Essentially, these schematics focus on the software development process. However, in modern software projects, the development process is becoming more fluid and continually adapted by developers (as opposed to being rigid and centrally enforced). As a result, the facilities involved in each phase may not have the necessary resources to acquire and maintain these certifications.
The challenge of the AssureMOSS project
From what has been said, the need for a change of perspective on the part of the European Union will certainly have been perceived, which has tried to trigger a new approach by financing the AssureMOSS project. The project involves a team consisting of 4 Universities (Delft, Gotheborg, Trento, Vienna), 3 innovative SMEs (Pluribus One, FrontEndArt, Search-Lab), 2 large companies (SAP, Thales), the EU-VRi organization and a Advisory Board composed of strategic figures from the world of industry and Open Source Software (OSS).
Specifically, AssureMOSS proposes to implement the transition from process-based to artifact-based security assessment (Models, Source code, Container images, Services), supporting all phases of the continuous software life cycle (design, development, implementation , evaluation and backup).
AssureMOSS therefore adopts a comprehensive approach to security assurance and recertification and has the ambition to contribute to every stage of the software development process, thanks to a coherent set of automated and lightweight techniques that allow software companies to evaluate, manage and recertify the security and privacy risks associated with the rapid development and continued delivery of multi-party open software and services. Ultimately, the project aims to support the creation of more secure MOSS software.
The key idea is to support lightweight and scalable screening mechanisms that can be automatically applied to the entire population of software components by:
• use of Machine Learning for the intelligent identification of security problems among artifacts;
• analysis and verification of changes through continuous tracking of side effects on privacy and security;
• constant risk analysis and software security assessment (with particular attention to the potential impacts on the business caused by potentially vulnerable products).
The project will generate not only a number of innovative methods and open source tools, but also benchmark datasets with thousands of vulnerabilities and code that can be used by other researchers.
The AssureMOSS tools will help, for example, to save time in the search for bugs and vulnerabilities through the semi-automatic screening of additions, removals and changes in the code repositories (commit analysis [11]), thus also speeding up the evaluation and analysis process of the software.
The change of perspective (artifacts vs processes) and the concept of continuous recertification of the developed software, are therefore the basis of an extremely ambitious challenge: to establish the guidelines that can be used, for example, by certification and standardization bodies to found a Artifact-focused certification scheme for MOSS software.
The basic intuition is well summarized by a well-known practice in the medical health field [12] and which we adapt here for the purpose: “Screening is defined as the preventive identification of a disease in an apparently healthy and asymptomatic population by means of tests ( of software components), examinations or other procedures that can be applied quickly and easily to the target population. [...] In supporting screening programs, it is important to avoid imposing models derived from highly efficient environments with advanced health systems and sophisticated and expensive (safety) verification schemes, on companies, processes, (developers and users) in countries that do not have the necessary infrastructure and resources to obtain adequate prevention on the population ".
1 The AssureMOSS project is regulated by the Grant Agreement n ° 952647, and is funded for a total of 4.689.425 Euros, www.pluribus-one.it/it/ricerca/progetti/assuremoss
2 Jan Bosch, Speed, Data, and Ecosystems: Excelling in a Software-Driven World, CRC Press, 2016
3 OpenSSL is an open source implementation of the SSL and TLS protocols, available for most unix-like operating systems, including GNU / Linux and macOS, and also for Microsoft Windows, www.openssl.org
4 Node.js is an event-oriented cross-platform open source runtime system for running JavaScript code, built on Google Chrome's V8 JavaScript engine. Many of its core modules are written in JavaScript, and developers can write new modules in JavaScript, https://nodejs.org/it/
5 API, acronym for Application Programming Interface, www.redhat.com/en/topics/api/what-are-application-programming-interfaces
6 Black Duck's Future of Open Source Survey, 2015
7 Holger Mack, Tom Schröer, Security Midlife Crisis, SAP Product Security Summit 2019
8 http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&refe...
9 According to CVE Details, 2017 smashed the record of vulnerabilities of the previous years (14714 in 2017 vs the previous record of 7946 in 2014). Unfortunately, 2018 has done even worse (16555 vulnerabilities). https://www.cvedetails.com/browse-by-date.php
10 https://www.coreinfrastructure.org
11 https://wiki.ubuntu-it.org/Programmazione/Git/Commit
12 https://www.who.int/cancer/prevention/diagnosis-screening/screening/en/
13 Eoin Woods, Democratizing Software Architecture, Keynote at ICSA 2019, online at https://speakerdeck.com/eoinwoods/democratising-software-architecture
14 www.pluribus-one.it/it/chi-siamo/blog/88-cybersecomics/111-bug
