Repository of requirements for the AssureMOSS scheme
In the AssureMOSS project we aim to improve the security of MOSS (Multi-party Open Software and Services), which faces challenges of increasing complexity, high-frequency update cycles and high costs of evaluation. In this quest we will create a methodology to evaluate and certify MOSS projects regularly to improve and maintain a higher level of security in those projects. We aim to make the methodology and tools related to this effort open source for the benefit of the open projects. As a first step, this document presents the state of the art in security certification through showing the most popular and relevant – from the point of view in AssureMOSS – certification schemes. Moreover, as some shortcomings of these schemes are presented, we present the motivation behind the creation of the AssureMOSS scheme was necessary. In AssureMOSS we concentrate on the domain of MOSS, where constant recertification caused by the rapid release cycles of a product would cause extreme overhead in the budget and for developers as well if they need to maintain a documentation suitable for security evaluation. The AssureMOSS scheme would fill a void in the cloud- and microservices domain by employing the concept on delta evaluation in a lightweight certification scheme. Building on the capabilities of the AssureMOSS tools and implementing the methodology of the hereby presented AssureMOSS scheme we will build on the DeltAICert tool, which will be able to help the work of security evaluators by automating the security evaluation and certification process via delta evaluation, which concentrates the evaluation effort on the changes between the certified and new version of the target of evaluation (ToE).