ATTRACT "Secure Software Engineering"

Hardly a day passes without reports of a newly discovered security vulnerability or a successful cyberattack on a software system. These days, this is by no means restricted to IT systems in the office, at home or on the smartphone. Increasingly it is also affecting intelligent technical systems like modern automobiles or control systems for industrial machinery. More and more of the innovative functions in these systems are software-driven and connected to the Internet. Unfortunately, external connections frequently make these systems the target of cyberattacks. Around 90% of the attacks focus on software vulnerabilities produced by substandard engineering. Often these security vulnerabilities are not detected and rectified until after the fact, which requires a significant amount of manual rework.

Funded within the Fraunhofer Attract program, the Project Group for Secure Software Engineering addresses this issue. It aims to identify security vulnerabilities during development and to help programmers avoid making mistakes. For this purpose, the software is automatically analyzed in the background and information on security vulnerabilities is communicated even while the program code is being written—similar to a spellchecker in a word processing program.

The integration of static source code analysis methods within standard software development environments enables analysis of the flow of data through the software and the detection of whether unauthorized persons would be able to siphon confidential information. Points of attack that might permit the unauthorized input of database commands are also recognized, preventing the unintentional accessing, deletion or modification of information. The results of the analyses are shown directly in the program code during the development process. Unsecure code sections are highlighted, and an explanation of the security vulnerability is displayed, including suggestions for how it can be fixed. Proceeding this way enables the early detection and correction of errors and a systematic reduction in potential points of attack for hackers. Sensitive data is better protected despite the increasing connectivity, and the costs of downstream rectification are cut.