18 January 2022
Proactive Approaches For Secure Software Development
The CyberSec4Europe report, “Proactive approaches for secure software development”, presents a total of 13 assets that support different activities in the lifecycle of software.
They address the current research challenges in terms of security and privacy for a number of key topics:
- Policy-based security management,
- Security modeling,
- Risk analysis / assessment,
- Certification security product and security enforcement, and
- Smart security/privacy-preserving tools.
The report is the work of the Software Development Lifecycle (SDL) task and also references the smart cities demonstrator use case as outlined in the news article Security and Privacy Tale of Three Smart Cities.
The demonstrator is based on a common scenario of a smart city platform featuring some of the security challenges typical of such platforms described above, with a special focus on the notion of cloud-based IoT applications that receive, analyse, and manage data in real-time to help municipalities, businesses and citizens make decisions that improve the quality of their lives. Citizens engage with smart city ecosystems in a variety of ways, using smartphones and mobile devices. Pairing devices and data with a city’s infrastructure and physical services can reduce costs and improve sustainability. Communities can improve energy distribution, optimise garbage collections, reduce traffic congestion and even improve air quality with the help of the IoT. All these challenges require software techniques that are significantly enhanced by improving the overall security of the devices.
The SDL demonstrator shows how security and privacy aspects in the software lifecycle can be effectively and proactively addressed with the support of automated instruments. The report focuses mainly on how these assets are integrated in a common IoT scenario, providing an understanding of the different components inside each category and how they can cooperate to improve software development.
Architectural Building Blocks
Each asset covers a specific building-block of the global architecture as indicated in the diagram above and is used as follows:
- SEMCO: to model the high-level architecture and define security requirements and design patterns against common threats.
- Modssl-hmac and HoneyGen: to ensure privacy of passwords in the authentication system.
- Hermes and VTPin: to detect weak points to make the system resilient to attacks.
- PLEAK: to analyse potential privacy leaks in the data flows.
- SOBEK: to ensure security enforcement of user privacy location policies on their android phones.
- PVS: to verify the protocols used in device-to-device communications such as 5GAKA.
- CORAS, BOWTIE++ and RISQFLAN: to model and assess security risks in traffic sensors and control.
- SYSVER and VEREFOO: to guarantee correct and efficient implementation and configuration of network security policies.
In the report each asset is described in detail with:
- a general overview of its functionality,
- a demonstration showing how the asset can be effectively applied in the smart cities scenario,
- a summary of the research challenges addressed by the asset, and
- a description of future research opportunities.
A set of companion videos for each asset can be found on the CyberSec4Europe website.
The report presents proactive approaches for secure software development, demonstrating the complementary activities of the 13 assets to the lifecycle of software, each one stemming from the need to address the security and privacy challenges identified in the report Research Challenges and Requirements for Secure Software Development and practically demonstrating the necessary building blocks to address those challenges in the software development lifecycle.
In summary, this document provides a complete overview of CyberSec4Europe’s secure software development technologies and their importance in the context of smart cities.