We encounter software almost everywhere in our everyday lives: we open our emails on our smartphones, make contactless payments when shopping or book a flight for our next holiday.
The development of secure software is therefore of great importance. But how can we be sure that the software works securely?
Static programme analysis can be used to find out and also uncover security vulnerabilities. This can also help to prevent cyberattacks that result in millions in losses.
There are many tools for static programme analysis. The code is analysed - but without executing the code.
However, due to the large number of tools, it is also difficult for many software engineers to find the right tool. In addition, these tools in turn contain a large number of options that have to be selected manually. This is where the SOSA project of our Secure Software Engineering workgroup comes in.
With SOSA, software engineers can specify the code to be analysed. However, the tool and the options are no longer selected manually: SOSA does this by selecting and configuring the optimal tool depending on the context. This approach works through automation.
SOSA should also be self aware of its own actions in order to analyse the program code more quickly and efficiently. This means that SOSA should understand how good the analysis is and why. As a result, SOSA understands the context better so that it can make better decisions about which tool is best suited for which options in the next analyses.
The aim of the project is to help software engineers make better decisions and find security vulnerabilities more effectively.
The topic is more relevant than ever: in 2023, the EU has enacted the Cyber Resilience Act (CRA). This stipulates that products with digital software must fulfil certain cyber security requirements. The CRA will apply from December 2027.
You can find out more about the project of our Secure Software Engineering workgroup here.
