Identification of security vulnerabilities already in the software engineering phase.

ATTRACT "Secure Software Engineering"

Fraunhofer support program

Motivation and issue

Hardly a day passes without reports of a newly discovered security vulnerability or a successful cyberattack on a software system. These days, this is by no means restricted to IT systems in the office, at home or on the smartphone. Increasingly it is also affecting intelligent technical systems like modern automobiles or control systems for industrial machinery. More and more of the innovative functions in these systems are software-driven and connected to the Internet. Unfortunately, external connections frequently make these systems the target of cyberattacks. Around 90% of the attacks focus on software vulnerabilities produced by substandard engineering. Often these security vulnerabilities are not detected and rectified until after the fact, which requires a significant amount of manual rework.

Project objectives and approach

Funded within the Fraunhofer Attract program, the Project Group for Secure Software Engineering addresses this issue. It aims to identify security vulnerabilities during development and to help programmers avoid making mistakes. For this purpose, the software is automatically analyzed in the background and information on security vulnerabilities is communicated even while the program code is being written—similar to a spellchecker in a word processing program.

The integration of static source code analysis methods within standard software development environments enables analysis of the flow of data through the software and the detection of whether unauthorized persons would be able to siphon confidential information. Points of attack that might permit the unauthorized input of database commands are also recognized, preventing the unintentional accessing, deletion or modification of information. The results of the analyses are shown directly in the program code during the development process. Unsecure code sections are highlighted, and an explanation of the security vulnerability is displayed, including suggestions for how it can be fixed. Proceeding this way enables the early detection and correction of errors and a systematic reduction in potential points of attack for hackers. Sensitive data is better protected despite the increasing connectivity, and the costs of downstream rectification are cut.   

Project overview

Project title

Secure Software Engineering

Duration

03/2013 to 12/2018

Funding

Fraunhofer Attract

Funding volume 2.5 million euros in total, of which approx. 50% is provided by Fraunhofer-Gesellschaft and 50% is obtained from institute resources.
project manager

Prof. Dr. Eric Bodden

objectives
  • Methods and tools to help software engineers and architects avoid creating security vulnerabilities
  • Approaches for the automated evaluation of software
  • Security guarantees for software components and systems
  • Easily interpretable presentation of analysis results
© Fraunhofer

Das Projekt »Secure Software Engineering« ist Teil des Fraunhofer-Förderprogramms »Attract«.