Software engineering and IT security research unit

Excerpt from an interview with Eric Bodden, Matthias Becker and Matthias Meyer

The objective of the Software engineering and IT security research unit is to create processes, methods and tools for developing secure software-intensive systems. These days, software has a unique level of importance. More and more companies in fields such as plant and mechanical engineering or the automotive industry are recognizing the need to expand their software development expertise — and they are very interested in the solutions our research unit is producing. In this interview, the director, Eric Bodden, and the heads of department, Mattias Becker and Matthias Meyer, explain the reasons for this and outline the services Fraunhofer IEM has to offer.

Why should companies take an interest in secure software development, regardless of the sector they are in?

Meyer: Because software is used everywhere and it has a significant impact on the value of many products these days — not only in terms of value creation, where software development makes up a large share of product development, but also in terms of the advantages for customers and the user experience. Another factor is that in today’s technical systems, there is no safety without security. Operational safety is inextricably linked with protection against attacks and information security. Even industry standards have now started calling for this to be taken into account, for example, in the plant and mechanical engineering, automation and automotive sectors. We are working together with companies to find ways of implementing these fairly general security recommendations that suit their specific organizations.

Are global and geopolitical crises intensifying the need to take an interest in IT security?

Bodden: IT security is more important than ever before, and more and more people are realizing the urgency of the situation. The concept of “critical infrastructure” is being discussed everywhere, from nuclear power stations to retail, logistics and supply chains. Software is used everywhere, and it needs guaranteed protection against attacks at all times. You can’t just go out and buy a universally secure software. That always has to come from individualized configurations, and requires constant reviewing. And the idea of critical supply chains now applies to software development as well, as today, up to 90 percent of software is purchased or obtained through open-source channels. The current geopolitical situation is just one of the many reasons that companies need to become less dependent on external software that lacks transparency.

What can Fraunhofer IEM offer companies that want to pay greater attention to the area of secure software development and IT security?

Becker: We offer a structured approach with suitable supporting methods and tools. This means we can also provide transparency in relation to the quality of the software and software development processes. We use a threat analysis to identify potential vulnerabilities and then seek out countermeasures. We place particular emphasis on the “secure by design” approach here: our goal is to assess the security of software-intensive systems across their entire life cycles.

Bodden: We are currently working to develop market-ready software tools that support the “secure by design” process. We want to give as many companies as possible the ability to apply this approach. Because they have a higher level of automation, more effective programming and regular backup processes, our “secure by design” tools can unlock a great deal of potential for companies.

Let’s take a look at the expertise question: how can security know-how be integrated into companies?

Becker: IT security cannot just be the development department’s responsibility; it has be on the agenda for the company’s highest-level employees. Many companies need to rethink their approach in this area, and expand their knowledge accordingly. Our range of training courses for developers, product owners and managers addresses precisely this issue. It’s important to us to go beyond just informing our customers about current technology developments; we also want to prepare them for coming challenges.

What opportunities does the new Secure Engineering Lab open up?

Meyer: Thanks to the Secure Engineering Lab, we can offer companies a modern infrastructure for software development. We bring companies into the lab for many different reasons, such as collaborating on a joint project, attending workshops and training courses, and learning about best practices. Our powerful software and hardware allows us to demonstrate how advanced software development processes can be created nowadays. The lab also gives companies the opportunity to put together a development infrastructure of their own and test it out right there on our premises.

What fields is the research unit currently focusing on more intensely?

Bodden: We have some exciting new projects in very topical fields, such as “privacy by design,” for example, where we are investigating how companies can prevent data theft and avoid the associated damage to their reputation. We are also using our development methods to tackle challenges relating to software value chains. These days, it’s not just hardware that comes primarily from external suppliers — software also has more complex supply chains now. That adds another layer of complexity when it comes to integration, in terms of both software development processes and IT security.

The department researches processes, methods and tools for the efficient development and operation of reliable and secure software-intensive systems of the (Industrial) Internet of Things (IoT). We enable high software quality and consider not only functional safety, but especially information security. We place particular emphasis on taking safety and security into account as early as possible and throughout the entire life cycle (safety and security by design). We cooperate with national as well as international companies and research institutions and regularly publish our findings at high-profile scientific conferences and lecture events.

Requirements engineering and design

The group develops methods and tools for requirements analysis and software design of high quality, safe, and secure IoT systems. Our solutions follow the Safety-and-Security-by-Design-principle and align with norms for safety (e.g., ISO 26262), security (e.g., IEC 62443), and process quality (e.g., SPICE). We use model-based methods, e.g., for hazard and threat analysis, requirements engineering, and architecture design. Additionally, we transfer our knowledge into industrial application by coaching-on-the-job and training services.

Software construction and analysis

to techniques for the automatic generation of source code from design models, we are working on highly efficient and precise methods and tools for automated static and dynamic software analysis in order to detect quality problems and, in particular, security vulnerabilities already during development. We focus on programming languages such as C/C++ or the IEC-61131 languages for programmable logic controllers (PLC). A complementary research focus is on solutions for time-of-use analysis of IoT systems to detect anomalies or cyber attacks.

The department supports local and international companies developing secure services and apps for smartphones (Android and iOS), desktops (Windows, MacOS, Linux), or the web. We support teams from all kinds of sectors, e.g., software, IT consultants, insurance, health, education, and manufacturing to evaluate and improve their processes and train them in efficient and secure software engineering. To automate the security checks of software, we design, build, and evaluate tools that help teams detect potential security risks as early as possible. We want to enable security for everyone, so we focus on the usability of our security tools.

We collaborate with renowned researchers and successful companies worldwide. We regularly publish our research results in peer-reviewed scientific journals and at prestigious conferences.

Development teams and processes

The group is specialized in empowering development teams and improving their processes – especially in the context of software security. We develop and conduct professional trainings tailored to the company’s domain, technologies, and culture. The participants of our trainings are developers and their stakeholders like product owners, executives, and customers. Our training goal is to raise their awareness and their security competence such that everyone can fulfill its role in the context of software security. In addition, we work closely together with our industry partners to identify security issues in their processes and software as early as possible. We achieve this via consulting, data analytics, and automated monitoring of key performance indicators (KPIs). We focus on improving agile DevOps processes.

Development tools

The group researches, designs and prototypes developer-centric security checking tools based on our latest program analysis techniques for Java, .NET, JavaScript and other programming languages. Primarily, we develop static code analyses that are fast and report the relevant issues to the user that are easy to explain. Additionally, we combine other methods, such as dynamic analyses or machine-learning to achieve better results, i.e., results that are more relevant to the context of use. An important aspect of our tools is the usability and the workflow integration for software developers. We regularly perform empirical user studies with our tools or others from the market such as CodeQL/Github, Infer/Meta, etc .

A full list of our publications can be found here.