Confidential Security Evaluation Environment (A13a)
Is it possible to establish a confidential assurance environment that will allow independent 3rd party evaluators to conduct software security analysis of vendor proprietary (sensitive) software, while preserving the confidentiality of the analysed software?
During regular security evaluations especially with high assurance requirements, vendors are often required to submit source code to evaluation labs or governmental regulators for review. Such a process brings concerns to the vendors, during which their software/IP could be copied, stolen or manipulated due to unintentional negligence or deliberate malicious attacks.
atsec information security is currently participating in a Swedish research project – CEST (Confidential Evaluation of Software Trustworthiness). The project aims to develop a confidential assurance environment, which reaches the following goals:
– For vendors to upload proprietary software
– For evaluators to only collect assurance proofs
– Supporting automated software analysis
– Supporting Telco security assurance test use cases
– Extensible for additional tools and test use cases
The project consortium is formed by four strong partners with individual backgrounds, Ericsson – a multinational networking and telecommunications company as the need owner, Hyker Security – an expert in confidential computing development, RISE (Research Institutes of Sweden) – a Swedish state-owned research institute with a cybersecurity focus, atsec – an independent information security assessment, testing and evaluation facility with more than 20 years of experience.