NESSOS Fabio Martinelli N etwork of Excellence on E ngineering S ecure Future Internet So ftware S ervices and Systems
NESSOS
Fabio Martinelli
Network of Excellence on Engineering Secure Future Internet Software Services and Systems
OutlineMotivation and main goals
Consortium expertise
Integration strategy
Structure of the NoE
Integration Activities
Research Activities
Spread of Excellence Activities
Management Activities
Highlights
Relationships with other communities
Aim
NESSoS aims at constituting a long lasting Virtual research centre
on engineering secure software-based service and systems
Aiming at reducing the vulnerabilities in Future Internet Software-based Services (FISS)
Improve the design and overall assurance level of FISS
Provide means for a risk/cost based SDLC for FISS
NESSoS will contribute to create an active research community
by reducing the existing fragmentation,
by re-addressing , integrating, harmonizing research agendas of NESSoS partners
as well as spanning out of the organizations involved towards wider scientific and technological communities
NESSoS is committed to achieve very significant advances in knowledge and spread the research excellence achieved as well as roadmapping activities
NESSoS will contribute to the growth of a generation of researchers and practitioners in the area by creating a common body of knowledge (CBK) directly exploitable for training and education purposes
Motivation
There is a demand for engineering Secure Future Internet Software-based service and systems that could
Resist to threats in the new application scenarios (e.g. by reducing system vulnerabilities)
Be developed in a more efficient way
Show with justifiable evidence their assurance level
Manage risk and cost issues during their development
The research community is addressing these issues from several perspectives
Industries set up their own initiatives (e.g. SafeCODE)
US are working on several initiatives
Although there is a competitive advantage in EU: engineering is more than coding
Goals
Creation of a long lasting research community on engineering secure software-based service systems.
Creation of a common body of knowledge: The goal is then to collect, extend and integrate knowledge, thus constituting a European common body of knowledge in the area.
Integration of research agendas and roadmapping activities: The objective is to merge, redirect and integrate research agendas of the involved partners (including the associate ones) as well us influence the wider scientific technological communities.
Integration of infrastructures and tools from NESSoS partners to provide access to a common shared facility for European institutions.
Contribution to dissemination and spreading of excellence: The objective is to start a Europe-wide common program of education and training for researchers and industry that will foster the alignment and integration of European competence and knowledge .
Valorisation and mobility of human resources.
Reducing the gap among industrial best practices and research: The objective is to establish strong, long lasting links with European industry, such as the SAFECode industry-driven initiative and European Technology Platforms (ETP), and the Networked European Software & Services (NESSI).
Specific Research Goals
Secure software engineering discipline with focus on Future Internet Services, with three main vertical areas:
Security requirement engineering,
Secure service architectures and design,
Programming environments and language-based security.
Design our systems for assurance in order to be able to prove the robustness of new services.
Compositional, modular, scalable solutions.
Holistic SDLC that includes the notions of risk and cost Allow the prioritization of investments during SDLC depending on the business goals of FISS
The Core Consortium
1111 Antonella Bertolino, Domenico LaforenzaAntonella Bertolino, Domenico LaforenzaAntonella Bertolino, Domenico LaforenzaAntonella Bertolino, Domenico LaforenzaFabio MartinelliFabio MartinelliFabio MartinelliFabio Martinelli
Consiglio Nazionale delle Consiglio Nazionale delle Consiglio Nazionale delle Consiglio Nazionale delle RicercheRicercheRicercheRicerche
CNR CNR CNR CNR ItalyItalyItalyItaly
2 Aljosa PasicAljosa PasicAljosa PasicAljosa Pasic, , , , Pedro Soria Atos Origin ATOS Spain
3 David BasinDavid BasinDavid BasinDavid Basin, Srdjan Capkun, Peter Müller , Christoph Sprenger
Eidgenössische Technische Hochschule Zürich
ETH Switzerland
4 Gilles Barthe, Gilles Barthe, Gilles Barthe, Gilles Barthe, AnindyaBanerjee, Manuel Clavel IMDEA Software IMDE
A
Spain
5 Benoit Baudry,ValValValValéééérie Issarnyrie Issarnyrie Issarnyrie Issarny, Jean-Marc Jézéquel, Michael Rusinowitch
Institut National de Recherche en Informatique et en Automatique
INRIA France
6 Wouter JoosenWouter JoosenWouter JoosenWouter Joosen, Frank Piessens, Dave Clarke, RiccardoScandariato, LievenDesmet, Bart Preneel
Katholieke Universiteit Leuven
KUL Belgium
7 Martin WirsingMartin WirsingMartin WirsingMartin Wirsing, Martin Hofmann, Heinrich Hussmann, Dieter Kranzlmüller, Claudia Linnhoff-Popien
Ludwig-Maximilians-Universität München
LMU Germany
8 Jorge CuellarJorge CuellarJorge CuellarJorge Cuellar, David von Oheimb, Monika Maidl Siemens Aktiengesellschaft, Corporate Technology
SIEM
ENS
Germany
9 Ketil StKetil StKetil StKetil Støøøølenlenlenlen, Fredrik Seehusen, AtleRefsdal, Mass Soldal Lund, BjørnarSolhaug
SINTEF ICT SINT
EF
Norway
10 Maritta Heisel, Maritta Heisel, Maritta Heisel, Maritta Heisel, Stefan Eicker, Klaus Pohl, Albrecht Schmidt
University Duisburg-Essen UDE Germany
11 Javier Lopez,Javier Lopez,Javier Lopez,Javier Lopez, Ernesto PimentelErnesto PimentelErnesto PimentelErnesto Pimentel University of Malaga UMA Spain
12 Bruno Crispo, Paolo Giorgini, Fabio MassacciFabio MassacciFabio MassacciFabio Massacci University of Trento UNIT
N
Italy
Current Affiliated PartnersThe following researcher are currently formally affiliated
Ernesto Damiani, University of Milan, Italy;
Claudia Eckert, SIT Fraunhofer, Germany;
Jan Jurjens, TU Dortmund, Germany;
Sokratis Katsikas, University of Athens, Greece;
Bashar Nuseibeh, LERO, Ireland;
Erik Poll, Radbound University Nijmegen, The Netherlands;
Dave Sands, Chalmers University, Sweden;
George Spanoudakis, City University, UK.
Integration activitiesIntegration Integration Integration Integration Activities:Activities:Activities:Activities:•Joint Virtual Research Lab (including virtual education centre)
•Integration of methodologies and tools in the Tool Work Bench
•Integration of research communities and research agendas
•Human resources management (Researcher mobility program)
•Integration of Knowledge
Expected results:
Distributed Joint Virtual Lab (Web portals, Virtual education centre)
Integrated SDLC Tool Workbench (with at least 15 tools)
Evaluation methodologies
A new research community in secure software engineering
Roadmapping activities
Common Body of Knowledge in secure software engineering
Handbook for the working security and service engineers
An effective mobility program for human resources (integrated also with industrials). It also exploits existing programs.
Research ActivitiesResearch Research Research Research Activities: Activities: Activities: Activities: •Security Requirements Engineering
•Secure Service Architectures and Design
•Programming Environments and language-based security
•Security Assurance for Services
•Development of risk and cost aware SDLC
•Domain specific application scenarios (including demonstrators)
Research themes (Blue) and crossing research themes (RED)
Risk and cost aware SDLCRisk and cost aware SDLC
Security Assurance for ServicesSecurity Assurance for Services
Domain specific application scenariosDomain specific application scenarios
Security requirements for services
The definition of techniques for the identification of all stakeholders (including attackers), the elicitation of high-level security goals for all stakeholders, and the identification and resolution of conflicts between different stakeholder security goals
The refinement of security goals into more detailed security requirements for specific services and devices
The identification and resolution of conflicts between security requirements and other requirements (functional and other quality requirements)
The transformation of a consolidated set of security requirements into security specifications
Secure service architectures and design
Model-based approaches for decomposing security concerns in software architectures;
Methods for composing security solutions in a principled way;
Collection of architectural knowledge and patterns to be reused in secure service compositions.
Programming environment for Secure and Composable Services
Security support for service composition languages;
Run time and platform support for security enforcement;
Security support for programming languages, aiming for verification.
Security Assurance for Services
Security metrics
Process support for security assurance
Building blocks for security assurance in the early development stages
Building blocks for security assurance in the implementation stages
Transverse methodologies for security assurance
Risk and Cost Aware Software Development Lifecycle
A basic methodology to perform risk management and cost assessment through the SDLC;
Prototypical versions of tool support for the basic methodology;
Extra methods and techniques to conduct risk management at run-time;
An integrated approach to security in the SDLC by offering risk and cost awareness on top of a development process that delivers security assurance.
Future Internet Application Scenarios
A set of Application Scenarios to drive and inspire the NESSoS methodology;
The validation of NESSoS methodologies in the realisation of specific Application Scenarios;
The validation of NESSoS tools in specific application scenarios;
Two demonstrators to illustrate the outcome of integrated research in NESSoS.
Spread of excellence activitySpreading Spreading Spreading Spreading Excellence Excellence Excellence Excellence Activities:Activities:Activities:Activities:
•Dissemination and communication (including raising end user awareness on secure software assurance)
•Education and Training (Ph.D. schools, open competitions, Virtual campus)
•Exploitation, standardization and Liaison and validation by Industry
Expected results:
A flagship event on engineering secure software systems and services
3 Ph.D. summer schools
3 Industry/research seminars
Curricula for master on Secure Software engineering
Material for the virtual education centre (more than 20 courses)
E-learning facilities
3 Open competitions inside the NESSoS research areas
More than 210 publications
More than 20 Ph.Ds.
Management activities
ManagementManagementManagementManagementActivities:Activities:Activities:Activities:
•Network Management (including administrative, financial and Steering)
•Excellence & Sustainability (including S&T assessment and monitoring)
Expected results:
Effective Administrative and financial management
Simple management structure
Effective decision making process
Information flow management
IPR management
Scientific coordination and excellence assessment
If useful adjustments are planned at month 18
Sustainability plan
Exploitation plan
In order to sustain the NoE with joint project proposals
Risk management plan
The network and its community will last after the end of funding period!!
Towards wider community (1)NESSoS has an Industrial Advisory Board
We have representatives from the main ETPs and industrial stakeholders
Aljosa Pasic (Chair) Jorge Cuellar (Deputy)
TSD, is chair of the IABJ. Claessen (Microsoft EMIC),
J. Clarke (WIT, also as e-Mobility ETP representative),
E. Delgado (ESI),
T. Dimitrakos (BT),
V. Lotz (SAP),
D. Presenza (Engineering S.p.A.),
D. Rotondi (TXT),
R. Savola (VTT also as NEM ETP representative),
D. Scarlatti (Boeing research),
N. Weinright (HP),
A. Wespi (IBM).
…
Towards wider community (2)
NESSoS has a Networking an Liaison Advisory board
We plan to keep relationships with international communities
Javier Lopez will manage this
NESSoS has relationships with S-CUBE
NESSoS cooperates with EFFECT+
…
HighlightsA Distributed Virtual Research Lab
New methodologies and tools
Including an open Tool Workbench for SDLC (loosely integrating at least 15 tools)
New well identifiable research area for Secure Software Engineering for Future Internet Services including assurance and risk/cost considerations
A new, long lasting, research community with strong EU roots (currently more than one hundred of researchers)
Increasing public awareness on the topics of the NoE
A flagship Conference (ESSoS) world-wide recognized as the leading event in the area
Road-mapping and coordination activities
New education material and master Ph.D. programs (at least 17 courses), including open competitions
New knowledge
More than 210 papers produced
An open Common Body of Knowledge (created and validated by the community at large) plus an Handbook for the working security engineers
New human resources
More than 20 Post docs at the end of the NoE / more than 25 visits in the mobility program