Software products are increasingly subject to successful cyberattacks, leading to an estimated EUR 5.5 trillion global annual cost of cybercrime. This is, to a large extent, due to a low level of cybersecurity, reflected by widespread vulnerabilities and inadequate approaches for identifying and mitigating the rapidly and constantly evolving cyber threats and vulnerabilities, as well as ensuring continuous compliance with regulations, industry standards, and best practices.
To reduce the impact of cyberattacks, it is essential to assess the conformity to security standards of software products and services throughout their life cycle. The traditional certification process is predominantly a static and expensive one-time assurance activity that does not cater to the needs of agile product delivery, which promotes continuous product updates and upgrades, and often changes in requirements. Each such update opens doors to product vulnerabilities and consequently poses cyber risks for product users. Software vulnerabilities may have consequences for critical systems and services that we are dependent on in our daily life. Eleven European partners from across 7 countries set out to mitigate such issues and help the software industry to prevent and quickly respond to cyber threats.
Simula’s work in CERTIFAI, led by Dr. Dusica Marijan, focuses on explainable AI for certification process management. “We will build explainable traceability between standards’ requirements and all relevant certification artifacts for increasing the transparency of the certification process. In case non-compliance between the software under test and standards’ requirements is detected, it is necessary to explain the root causes of noncompliance, thus increasing the trustworthiness of the certification process” says Dusica Marijan, Senior Research Scientist at Simula.
The project has received funding from the European Union's Horizon Europe program and will test the developed technology in several industrial domains including railway, energy, maritime, and environment surveillance.