NESSOSNetwork of Excellence on Engineering Secure Future Internet Software Services and Systems Fabio Martinelli
Outline Motivation and main goals Consortium expertise Integration strategy Structure of the NoE Integration Activities Research Activities Spread of Excellence Activities Management Activities Highlights Relationships with other communities
AimNESSoS aims at constituting a long lasting Virtual research centre on engineering secure software-based service and systems Aiming at reducing the vulnerabilities in Future Internet Software-based Services (FISS) Improve the design and overall assurance level of FISS Provide means for a risk/cost based SDLC for FISSNESSoS will contribute to create an active research community by reducing the existing fragmentation, by re-addressing , integrating, harmonizing research agendas of NESSoS partners as well as spanning out of the organizations involved towards wider scientific and technological communitiesNESSoS is committed to achieve very significant advances in knowledge andspread the research excellence achieved as well as roadmapping activitiesNESSoS will contribute to the growth of a generation of researchers andpractitioners in the area by creating a common body of knowledge (CBK)directly exploitable for training and education purposes
Motivation There is a demand for engineering Secure Future Internet Software- based service and systems that could Resist to threats in the new application scenarios (e.g. by reducing system vulnerabilities) Be developed in a more efficient way Show with justifiable evidence their assurance level Manage risk and cost issues during their development The research community is addressing these issues from several perspectives Industries set up their own initiatives (e.g. SafeCODE) US are working on several initiatives Although there is a competitive advantage in EU: engineering is more than coding
Goals Creation of a long lasting research community on engineering secure software-based service systems. Creation of a common body of knowledge: The goal is then to collect, extend and integrate knowledge, thus constituting a European common body of knowledge in the area. Integration of research agendas and roadmapping activities: The objective is to merge, redirect and integrate research agendas of the involved partners (including the associate ones) as well us influence the wider scientific technological communities. Integration of infrastructures and tools from NESSoS partners to provide access to a common shared facility for European institutions. Contribution to dissemination and spreading of excellence: The objective is to start a Europe-wide common program of education and training for researchers and industry that will foster the alignment and integration of European competence and knowledge . Valorisation and mobility of human resources. Reducing the gap among industrial best practices and research: The objective is to establish strong, long lasting links with European industry, such as the SAFECode industry-driven initiative and European Technology Platforms (ETP), and the Networked European Software & Services (NESSI).
Specific Research Goals Secure software engineering discipline with focus on Future Internet Services, with three main vertical areas: Security requirement engineering, Secure service architectures and design, Programming environments and language-based security. Design our systems for assurance in order to be able to prove the robustness of new services. Compositional, modular, scalable solutions. Holistic SDLC that includes the notions of risk and cost Allow the prioritization of investments during SDLC depending on the business goals of FISS
The Core Consortium1 Antonella Bertolino, Domenico Laforenza Consiglio Nazionale delle CNR Italy Fabio Martinelli Ricerche2 Aljosa Pasic, Pedro Soria Pasic, Atos Origin ATOS Spain3 David Basin Srdjan Capkun, Peter Müller , Basin, Eidgenössische Technische ETH Switzerland Christoph Sprenger Hochschule Zürich4 Gilles Barthe, AnindyaBanerjee, Manuel Clavel IMDEA Software IMDE Spain A5 Benoit Baudry,Valérie Issarny Jean-Marc Valé Val Issarny, Institut National de INRIA France Jézéquel, Michael Rusinowitch Recherche en Informatique et en Automatique6 Wouter Joosen Frank Piessens, Dave Clarke, Joosen, Katholieke Universiteit KUL Belgium RiccardoScandariato, LievenDesmet, Bart Preneel Leuven7 Martin Wirsing Martin Hofmann, Heinrich Wirsing, Ludwig-Maximilians- LMU Germany Hussmann, Dieter Kranzlmüller, Claudia Linnhoff- Universität München Popien8 Jorge Cuellar David von Oheimb, Monika Maidl Cuellar, Siemens Aktiengesellschaft, SIEM Germany Corporate Technology ENS9 Ketil Stølen Fredrik Seehusen, AtleRefsdal, Mass Stølen, SINTEF ICT SINT Norway Soldal Lund, BjørnarSolhaug EF10 Maritta Heisel, Stefan Eicker, Klaus Pohl, Albrecht University Duisburg-Essen UDE Germany Schmidt11 Javier Lopez, Ernesto Pimentel University of Malaga UMA Spain12 Bruno Crispo, Paolo Giorgini, Fabio Massacci University of Trento UNIT Italy N
Current Affiliated Partners The following researcher are currently formally affiliated Ernesto Damiani, University of Milan, Italy; Claudia Eckert, SIT Fraunhofer, Germany; Jan Jurjens, TU Dortmund, Germany; Sokratis Katsikas, University of Athens, Greece; Bashar Nuseibeh, LERO, Ireland; Erik Poll, Radbound University Nijmegen, The Netherlands; Dave Sands, Chalmers University, Sweden; George Spanoudakis, City University, UK.
Integration activities Integration Activities: Expected results: •Joint Virtual Research Distributed Joint Virtual Lab (Web portals, Virtual Lab (including virtual education centre) education centre) Integrated SDLC Tool Workbench (with at least 15 tools) •Integration of Evaluation methodologies methodologies and tools in the Tool Work Bench A new research community in secure software engineering Roadmapping activities •Integration of research communities and Common Body of Knowledge in secure software engineering research agendas Handbook for the working security and service engineers •Human resources management An effective mobility program for human resources (integrated also with industrials). It also exploits (Researcher mobility existing programs. program) •Integration of Knowledge
Research ActivitiesResearchActivities:•SecurityRequirementsEngineering•Secure ServiceArchitectures and Security Assurance for ServicesDesign•ProgrammingEnvironments andlanguage-based Risk and cost aware SDLCsecurity•Security Assurancefor Services Domain specific application scenarios•Development of riskand cost awareSDLC Research themes (Blue) and crossing research themes (RED)•Domain specificapplication scenarios(includingdemonstrators)
Security requirements for services The definition of techniques for the identification of all stakeholders (including attackers), the elicitation of high- level security goals for all stakeholders, and the identification and resolution of conflicts between different stakeholder security goals The refinement of security goals into more detailed security requirements for specific services and devices The identification and resolution of conflicts between security requirements and other requirements (functional and other quality requirements) The transformation of a consolidated set of security requirements into security specifications
Secure service architectures and design Model-based approaches for decomposing security concerns in software architectures; Methods for composing security solutions in a principled way; Collection of architectural knowledge and patterns to be reused in secure service compositions.
Programming environment for Secure and ComposableServices Security support for service composition languages; Run time and platform support for security enforcement; Security support for programming languages, aiming for verification.
Security Assurance for Services Security metrics Process support for security assurance Building blocks for security assurance in the early development stages Building blocks for security assurance in the implementation stages Transverse methodologies for security assurance
Risk and Cost Aware Software DevelopmentLifecycle A basic methodology to perform risk management and cost assessment through the SDLC; Prototypical versions of tool support for the basic methodology; Extra methods and techniques to conduct risk management at run-time; An integrated approach to security in the SDLC by offering risk and cost awareness on top of a development process that delivers security assurance.
Future Internet Application Scenarios A set of Application Scenarios to drive and inspire the NESSoS methodology; The validation of NESSoS methodologies in the realisation of specific Application Scenarios; The validation of NESSoS tools in specific application scenarios; Two demonstrators to illustrate the outcome of integrated research in NESSoS.
Spread of excellence activity Spreading Excellence Expected results: Activities: A flagship event on engineering secure software systems and services •Dissemination and communication 3 Ph.D. summer schools (including raising end user awareness 3 Industry/research seminars on secure software Curricula for master on Secure Software assurance) engineering •Education and Material for the virtual education centre (more Training (Ph.D. than 20 courses) schools, open competitions, E-learning facilities Virtual campus) 3 Open competitions inside the NESSoS research areas •Exploitation, standardization More than 210 publications and Liaison and validation by More than 20 Ph.Ds. Industry
Management activities Expected results:ManagementActivities: Effective Administrative and financial management•Network Simple management structureManagement Effective decision making process(including Information flow managementadministrative,financial and IPR managementSteering) Scientific coordination and excellence assessment•Excellence & If useful adjustments are planned at month 18Sustainability Sustainability plan(including S&T Exploitation planassessment andmonitoring) In order to sustain the NoE with joint project proposals Risk management plan The network and its community will last after the end of funding period!!
Towards wider community (1) NESSoS has an Industrial Advisory Board We have representatives from the main ETPs and industrial stakeholders Aljosa Pasic (Chair) Jorge Cuellar (Deputy) TSD, is chair of the IAB J. Claessen (Microsoft EMIC), J. Clarke (WIT, also as e-Mobility ETP representative), E. Delgado (ESI), T. Dimitrakos (BT), V. Lotz (SAP), D. Presenza (Engineering S.p.A.), D. Rotondi (TXT), R. Savola (VTT also as NEM ETP representative), D. Scarlatti (Boeing research), N. Weinright (HP), A. Wespi (IBM). …
Towards wider community (2) NESSoS has a Networking an Liaison Advisory board We plan to keep relationships with international communities Javier Lopez will manage this NESSoS has relationships with S-CUBE NESSoS cooperates with EFFECT+ …
Highlights A Distributed Virtual Research Lab New methodologies and tools Including an open Tool Workbench for SDLC (loosely integrating at least 15 tools) New well identifiable research area for Secure Software Engineering for Future Internet Services including assurance and risk/cost considerations A new, long lasting, research community with strong EU roots (currently more than one hundred of researchers) Increasing public awareness on the topics of the NoE A flagship Conference (ESSoS) world-wide recognized as the leading event in the area Road-mapping and coordination activities New education material and master Ph.D. programs (at least 17 courses), including open competitions New knowledge More than 210 papers produced An open Common Body of Knowledge (created and validated by the community at large) plus an Handbook for the working security engineers New human resources More than 20 Post docs at the end of the NoE / more than 25 visits in the mobility program