Executive Summary of the European Commission-ERCIM Seminar on ICT Security
ERCIM and the European Commission jointly organised a Strategic Seminar on "Engineering Secure Complex Software Systems and Services". The seminar was held in Brussels on October 16th 2008 and is the result of an effort of ERCIM, its Security and Trust Management Working Group, and the European Commission's DG INFSO Unit F5 "Security".
The seminar aimed at collecting the relevant academic and industrial expertise in secure software engineering (shortly, SSE) and at linking it with industry's best practices in the field. As the Information Society continues to develop, the security of its supporting ICT infrastructures will grow in importance. The need for assurance of software systems and services demands a set of novel engineering methodologies and tools in order to ensure secure system behaviour. There is clearly the urgency and, actually, the opportunity for exploiting synergies of advanced research approaches with industrial best practices in order to reduce the gap between theory and practice.
The specific objectives of the seminar were:
- to present the best practices applied in industry and to discuss latest progress on key R&D initiatives
- to encourage the dialogue and promote collaboration between scientists and industrial players
- to identify future key research challenges, in particular in the context of the evolution towards the Future Internet.
This report briefly describes the main findings of the seminar, which was attended by more than 60 stakeholders from industry and academia. The full seminar report, agenda, individual presentations and list of participants are available at http://www.ercim.org/activity/strategic_seminar.
1. Industrial Best Practices and Perspectives
The first panel of the seminar addressed industrial best practices in the field and future perspectives. The panellists also discussed about IT frameworks, models and tools required for improving the development of secure software throughout its lifecycle; creating a sound business case for security; promoting software assurance and measurability and testing procedures for auditing and security compliance purposes; dealing with the increasing complexity of IT systems; and, education, training and awareness initiatives.
In ever changing and global markets, software companies are continuously developing and improving their procedures and tools for embedding security in their software systems and services. A rich set of best practices is now around in terms of documents and guidelines that ask for strict development process control, supervision, or review. Recently, joint corporate initiatives on secure software were also launched. They clearly demonstrate the great interest that major industrial players and private and public organisations have in cooperating in this field by sharing and promoting pragmatic approaches and proven software assurance practices. Automated support for best practice enforcement and the ability to reason about the business impact of security are key issues to manage security related efforts in an economically feasible way.
Novel IT frameworks, models and tools during all phases of the software lifecycle
Software security should be an integral part of every phase of the software lifecycle (ie, from design to deployment, monitoring and auditing). The existence of common IT development and execution frameworks enforces the use of best practices and fosters collaborative work towards their further improvement for achieving higher levels of secure software. Formalising and describing how the many possible processes and their security requirements have to be organised into an application or system is essential to software industry. Modelling tools could provide the right abstract schemes to make possible the description and assessment of alternative scenarios for achieving a balanced secure software solution. Furthermore, industry needs IT tools that support security in the software that it produces or uses and that are platform- and programming language-agnostic. In fact, industry requires tools that encapsulate specialised knowledge by translating underlying theoretical foundations into concrete secure software development practices. Such tools have to be well integrated into development environments and be easy to use by non-experts.
Creating the business case for security
Despite the accrued interest of industry on SSE practices, overall, IT security has to compete with several other investment priorities. With squeezing IT budgets and ever-shorter times to market, how much do managers need to spend on IT security to achieve enough security and when secure is secure enough? Understanding the value that investments on secure software can add through the product value chain is vital for business and IT managers taking decisions on spending money on security. Specifically, managers need to understand how much risk their company is ready to take for a given threat and manage that risk accordingly.
Dealing with assurance, measurability and testing
Understanding the value of security and assessing and managing risks implies putting in place an appropriate set of "controls" at different levels, business, technology or processes. Such a control framework would allow prevention of vulnerabilities and monitoring compliance with internal or external security requirements, including legal compliance. That requires, however, putting in place an appropriate set of independent measurement and testing procedures for all phases of the software lifecycle as well as metrics for collecting data, auditing performance and, ultimately, proving/ensuring security by measuring it.
Dealing with increasing levels of complexity of software systems
Presently, the complexity is rapidly increasing when moving from the secure engineering of isolated application components to that of software systems that mix various infrastructure resources with application functionalities. Such software systems are usually built incrementally resulting in "systems of systems" with functionality often different from what their underlying components were designed for. Moreover, they increasingly rely on real-time dynamic composition involving third-party software components and services. Under these circumstances, achieving secure systems and secure software products is a huge challenge and key business success factor.
Promoting education and awareness
Security conscious and well-educated software architects and software developers are needed together with more investments on higher-level education, professional and on-the-job training. Dedicated awareness creation initiatives would also permit to stress the importance of secure software within managers, software architects, programmers and users.
2. Research Advances and Perspectives
The second panel of the seminar focused on promising research directions for engineering secure complex software systems. It addressed the following topics: security requirements engineering; model-based techniques and automated tools for the development of complex secure software systems; methods for secure coding and programming; the recent advances on methodologies and tools for the verification and validation of specifications and code; and finally, the role of risk in the creation of secure "systems of systems".
Security requirements engineering
Several security weaknesses originate in the incomplete or conflicting nature of security requirements of software code. Specific expertise, methods and tools should be devoted to this task. For example, a step-by-step refinement procedure (eg, model-based requirements design) and automated tools would help security requirements engineers to improve the process from requirements elicitation to analysis and to track them during the subsequent software development steps. Also, mechanisms able to pass from negative-form requirements to more operational ones (as for functional requirements) should be envisaged. As a whole, security requirements engineering is an area where progress is possible and potentially useful in order to answer common software industry needs.
Models for Secure Software Engineering
The software development process needs several models to deal with domain specific aspects and to identify the correct security solutions to adopt. These models often have to be combined and refined in a way that ensures that the overall security of the final product is kept. Appropriate techniques to pursue here are model-driven design, security patterns, and case modelling and analysis of "uses" and "abuses". Process description and model checking techniques could be used to validate specific solutions at a given design stage, eg for validating requirements. Design techniques should involve component-based approaches allowing modular verification - compositionality is in fact a major security challenge related to the scalability and inherent complexity of ICT systems. Another challenge to deal with, from a security point of view, is dynamic change of systems and code and dynamic evolution of system functionalities.
When applicable, formal methods seem to be able to guarantee an increased robustness of software. Today, the high cost of applying them is an impediment to their larger industrial deployment. Therefore, one of the research directions with major impact would be to embed formal methods in automated development tools in a transparent way for the user. Finally, methods for measuring the trustworthiness of the software systems, is yet another area of importance for industry where major research efforts are necessary.
Language-based security is regarded as the backbone of secure software engineering. Indeed, language-based security techniques and specific type systems allow verifying, at compile time, the absence of (certain) vulnerabilities and constrain the run-time execution of applications. In fact, they move the burden of ensuring the security of the final code from the application programmer to the programming environment developers. Further progress is expected from several ongoing efforts aimed at embedding information flow management techniques in programming languages such as Java, or at embedding security mechanisms in Business Process Execution Languages used for composing complex services. A promising research area is developing techniques for proving complex properties of cryptographic algorithms as well as provably correct implementations.
Advances in security verification and validation
Several rigorous techniques have been developed for checking system specifications, such as model checking and theorem proving. However, there are still several limitations that must be addressed for their wider deployment in industry. Relevant research issues include addressing their scalability and coping with the ever-increasing complexity of software-intensive systems. In addition, one needs to take into account the uncertainty about the behaviour of the system components (eg malicious software) as well as external threats. Overall, more research efforts are necessary to make security verification and validation tools usable in practice during software development at industrial scale.
Advances in risk assessment for systems of systems
Risk is a crucial notion in security and its role in the design of complex systems of systems needs to be further investigated. Issues to address here include assessing the complexity and the (cyclic) interdependencies inherent in ICT systems, often composed of several parts developed by different parties; and, assessing risks linked to changes in the lifecycle of systems of systems through, for instance, compositional risk-assessment methodologies. Embedding risk in an explicit manner in all the steps of the software development lifecycle could help to reduce the cost and make the improvements in software engineering more concrete.
3. The Way Forward
The last panel considered the findings from the two first panels and brought up some additional aspects related to: (a) enabling methodologies and tools for building secure complex systems and services; (b) software liability aspects; and (c) standardisation, education and other relevant issues for the field.
Enabling methodologies and tools for building secure complex software systems
Security engineering and software engineering methodologies and platforms should be integrated. The general (wrong) perception is that software engineering is dealing with construction of correct software, while security engineering is dealing with the deployment of software. The software architecture should be the starting basis. Security, manageability and scalability should be the main drivers for the software architects. Industry also needs usable and efficient methodologies and tools that automate the security of software code. Formal methods have proven to be useful for checking security specifications but not really software implementations. It is therefore urgent to undertake further work for bridging the gap between fundamental theories and pragmatic approaches for industry to use.
Industrial software is often built on top of legacy systems and/or is outsourced. This calls for tools for verifying the security properties and performance of legacy systems and/or third party software. The composition environment should permit to control the security properties of composed software both at the design phase and dynamically, at run time. Compositionality is a big challenge. Even if a software system is built from individually trusted components, the overall system may not be trusted. Modular verification of smaller modules may prove to be a good solution in large complex systems.
For the moment, software companies in general and those companies in particular offering packaged software services or Service Oriented Architecture (SOA)-based applications and services are not liable for the likely damages they may cause due to software vulnerabilities of their products. As liability may change with time, it is important for companies to adopt best practices quickly. Should software companies become liable, they would need to become in full control of all the products, applications and services they sell, including all the underlying technology components supporting such products. A prerequisite for solving software liability is solving the compositionality problem.
Standardisation, education and other relevant issues
Currently there is a lack of sufficient standardisation in software security. In some cases, clear specifications are available at a certain level of abstraction, but implementations of standards are often not completely in line with these specifications. Robust tools for testing and validating such implementations are necessary.
Often there is a gap between the methodologies that secure software engineers are taught in Universities and the knowledge they need when working in industry. A closer and more productive cooperation is required between industry and academia in order to produce curricula dealing with both foundational knowledge principles and industrial reality.
4. Concluding Remarks
The significant participation of both industry and academia representatives at the event is showing the relevance of the topics addressed. Industry is showing sufficient motivation for adopting best practices in the SSE field and the scientific community can already bring several methodologies and tools. Targeting specific priorities as some of the ones identified in this report would certainly help to close the gap between foundational and practical work. Security and software engineering need also to be integrated in one coherent framework. As the complexity of ICT systems increases, easy-to-use software tools that encapsulate highly intensive specialised knowledge need to be developed through research and industrial partnerships. In order to ease this process, industry and academia should share similar expertise and adopt the same language and terminology.
Raising current levels of education and awareness in the field is another main issue emerging from the discussions held. Finally, special attention must be given to new forms of IT infrastructures such as cloud computing, the internet of things or, more broadly, the Future Internet, that bring new challenges for secure software as well as new opportunities for industry and business organizations.
ERCIM Strategic Seminars:
ERCIM WG on Security and Trust Management:
European Commission's DG INFSO Unit F5 "Security": http://cordis.europa.eu/fp7/ict/security/home_en.html
Dimitris Plexousakis, FORTH-ICS, Greece
Fabio Martinelli, IIT-CNR, Italy
Thomas Skordas, European Commission