Providing Security Assurance & Hardening for Open Source Software/Hardware: The SecOPERA approach

Rapid open-source software and hardware prototyping fueled by the significant expansion of the development community, led to the deployment of highly sophisticated frameworks, solutions and products. However, as the provided open-source solutions are managed in all aspects by their designers/engineers, they lack professional evaluation of their security level. The absence of comprehensive security assessment as well as a consolidated and ubiquitous roadmap for vulnerability patching and security hardening, makes open-source solution a risk for widespread enterprise use. This paper introduces a security assurance approach which addresses open-source hardware and software shortcoming in an end-to-end manner, by providing a logical decomposition of any such module into four distinct component layers: device, network, application and cognitive. This allows highly focused security assessment, taking into consideration the specific characteristics of each layer. In addition, the paper provides an approach on how open-source solution security can be improved, through decomposition, layered vulnerability mitigation and specialized security hardening techniques. The proposed framework which is the main research and innovation focus of the SecOPERA Project intends to transform an open source solution to a protected one, as well as provide security guarantees of its overall security status.