Diamonds
Boosting software security for a connected worldWith the DIAMONDS methodology representing a unique enabling technology for testing the security of critical software systems, the project continues to deliver results years after it ended. Several standardisation documents have been adopted by the European Telecommunications Standards Institute (ETSI), for example, and have been forwarded to international standardisation bodies. These standardisation documents reflect the project's case studies, where the partners fine-tuned the methodology for different industrial sectors.
"Software," as online pioneer and entrepreneur Marc Andreessen noted in 2011, "is eating the world", with everything from governments to cities, industries to products like cars increasingly connected and in direct and continuous communication with us, our smart phones and much, much more.
This brings huge benefits, but also challenges and risks: these complex systems are vulnerable to attacks, potentially endangering human lives and undermining entire business sectors.
Nine software security failures in ten are caused by software defects - generally, a hacker can exploit a vulnerability, which should have been avoided by secure software design and development.
"Nine software security failures in ten are caused by software defects - generally, a hacker can exploit a vulnerability, which should have been avoided by secure software design and development, but at least spotted by software testing as early as possible in development," explains Prof. Dr. Ina Schieferdecker of Germany's Fraunhofer FOKUS, project coordinator of the DIAMONDS project. "The problem is that the systems' complexity, their openness and dynamics make it hard to test them - it's extremely difficult to assess what a new system's security risks will be, or test the security of a system ready to deploy or being in operation."
As a result, the market for security testing - particularly security test automation - is expected to reach EUR 4.5 billion by 2019, doubling in size in just five years. This market, however, is dominated by large US companies. The DIAMONDS project has placed software security testing on a more solid footing and helped several European SMEs develop new products and services.
Setting the software security standard
The project brought together 22 industrial and scientific players from six countries to develop a new security testing paradigm and methodology and successfully demonstrated and evaluated it in eight industrial settings from four different industrial domains. Innovations on risk-based testing, advanced fuzz testing or autonomous testing together with the Security Testing Improvement Profiling (STIP) evaluation scheme helped shaping the scene.
"Software security is not a problem with a single fix - it's too complex a field," says Prof. Dr. Schieferdecker. "Instead, we developed a new paradigm, known as model-based security testing, along with a set of various efficient test automation methods. We then tested those innovations in a wide array of case studies, brought by our project partners from banking, telecommunication, automotive and other sectors."
Industry-tested enabling technology
With the DIAMONDS methodology representing a unique enabling technology for testing the security of critical software systems, the project continues to deliver results years after it ended. Several standardisation documents have been adopted by the European Telecommunications Standards Institute (ETSI), for example, and have been forwarded to international standardisation bodies. These standardisation documents reflect the project's case studies, where the partners fine-tuned the methodology for different industrial sectors.
"The case studies also accelerated the project's results to market," Schieferdecker points out. "This was particularly beneficial for the small companies in the project - overall, DIAMONDS enabled five new products, three new services and ten product updates."
For example, the security analysis functionality of the Montimage Monitoring tool of the French SME Montimage, has been improved and integrated within the MMT tool suite and is now being carried out with the Thales TCS business division. Thanks to the business impact coming from the results of the project, Montimage's workforce increased from five to nine people.
Thanks to the business impact coming from the results of the project, Montimage's workforce increased from five to nine people.
Similarly, Smartesting - another French SME partner - developed, prototyped and validated a new approach to testing Web application security, upgraded its CertifyIt product and forged new relationships with major European industrial clients.
And as a result of the DIAMONDS project, Fraunhofer FOKUS became recognised as an expert in the field of security testing in industry as well as in the academic realm. The System Quality Center at Fraunhofer FOKUS provides methods, processes and tools for the development and quality assurance of software-intense systems that often perform business-critical or security- and safety-relevant functions in urban infrastructures, cars, trains, planes or factories. In order for such systems to work fault tolerantly, fail-safely and IT-securely, even in unexpected situations, the system quality has to be ensured throughout the entire development process, from the requirements analysis to the certification. Testing Technologies, a German test system provider that offers standardized testing technology, integrated the results of the project into its TTCN-3 test development and execution platform TTworkbench and thus extended the capabilities of this platform towards security testing. In addition, Testing Technologies successfully initiated standardization work on security testing at ETSI MTS.
These exploitation results show that ITEA is a perfect programme to create business impact for different kinds of partners in a project, both large and small.
These exploitation results show that ITEA is a perfect programme to create business impact for different kinds of partners in a project, both large and small.
At the end of April 2016, the ITEA 2 project DIAMONDS was announced as the winner of the EUREKA Innovation Award 2016 in the category 'Added Value'. Prof. Dr. Schieferdecker stated: "This prestigious award honours our work and that of our project partners for model-based security testing within DIAMONDS. Its innovative methods and tools obtain enhanced visibility. We want to use it at Fraunhofer FOKUS to strengthen the importance and dissemination of security-oriented testing methods and to develop further innovative approaches by our System Quality Center. Thank you also to ITEA, the EUREKA Network, and the national authorities. ITEA as a EUREKA Cluster programme is a solid partner for supporting innovative, industry-driven, pre-competitive R&D projects in the area of Software-intensive Systems & Services. I am looking forward to continuing our work on research and development of methods for security testing as it is an important and future-oriented topic."
More information
Download DIAMONDS Success storyRelated projects
DIAMONDSOrganisations
Fraunhofer (Germany)Montimage EURL (France)
Smartesting (France)
Testing Technologies IST GmbH (Germany)
Thales DIS FRANCE SAS (France)
Thales SIX GTS France S.A.S (France)