The open-source community has significantly expanded in recent years, with hardware-software open-source solutions gaining traction and market interest. Open source operates on a pull support model, placing responsibility on users to track vulnerabilities, fixes, and updates for the open-source components they utilize. This DevOps model, distinct from proprietary solutions, complicates organizational efforts to monitor the open-source components used in applications. Open-source code often lacks the formal verification, auditing, and security testing processes typical of proprietary software, leaving it without sufficient security guarantees to be considered trusted.
Furthermore, the diverse dependencies between open-source codebases, where individual developers can fork projects and introduce variations, make tracing vulnerabilities highly complex. In the open-source hardware domain, Intellectual Property (IP) cores provided by the open hardware community usually lack security guarantees and can be vulnerable to side-channel attacks or contain hardware Trojans. Due to the complexity of hardware description language code and insufficient testing tools, such vulnerabilities often go undetected.
This open-source landscape makes achieving and assuring security in interconnected business markets, especially in IoT, where products incorporate components from various Tier 1 or OEM manufacturers, exceedingly challenging due to the lack of comprehensive security guarantees. OEM developers and product producers using open-source solutions must assume third-party components require reassessment through security audits, as there is no holistic auditing and testing process covering the full production line. This issue is especially critical with the growing market integration of ML/DL open-source models in domains like automotive and healthcare, which lack security credibility concerning sensitive information leakage. To address these challenges, development teams require reliable and timely vulnerability information, a comprehensive inventory of their software’s open-source dependencies, and appropriate security guarantees.
SECOPERA aims to serve as a one-stop hub for complex OSS/OSH solutions, providing designers, implementers, operators, and developers with tools to analyze, assess, secure, harden, and share open-source solutions integrated into complex, networked environments. SECOPERA will deliver a security auditing toolbox for identifying security issues in software-hardware open-source components, provide methodologies and tools to enhance the security of both software and hardware open-source solutions, adapt the SECOPERA solution to open-source development workflows, integrate SECOPERA with its components (Decompose, Audit, Secure, Adapt, Update), validate SECOPERA through various use cases, and promote market adoption of the solution based on open-source principles.
ITML’s role in the project
ITML is responsible for integrating all components and services developed during SECOPERA in a unified framework, by providing all the necessary backend components and infrastructure for the realization of the SecOPERA platform. Moreover, ITML will supervise the piloting activities and the final evaluation of the project outputs. Finally, ITML will plan the market uptake of the SECOPERA solution by identifying market gaps, mapping needs, and determining exploitation routes.
For more information, visit the official project website: https://secopera.eu/
