Assurance by Automation and AI
Assurance is a term used when talking about security in software development. There are different definitions of the term, and I am summarizing the content of the definitions as; The degree of confidence that the security needs of a system are satisfied.
Today, to feel confident that the security needs of a system are satisfied, a lot of manual work is needed. Spread sheets and checklist are typically used, which usually provide samples of the current state of the system. But what if we could automate some of the manual work? And what if we could provide information about the system in real time?
My name is Linnéa Oxenwaldt, and I have been working at Omegapoint for almost 3 years where I have worked with facilitating the implementation of security in the software development lifecycle. Since September 2022 I have been a part of the initiative CyDig (cybersecure digitalization), which aims for automating assurance and improving the security state by visualizing the security needs of systems. I am now doing my AMP (Academy Master Program) where I will continue the work with expanding the assurance controls contained in CyDig and increasing their value. I will also investigate if AI could be of use when implementing assurance controls. By my side during my AMP, I have my mentor Nada Kapidzic Cicovic.
CyDig
The project CyDig started as a result of reading the book Investments Unlimited which describes how a financial company builds and implements automated assurance controls in order to get view of the security state of their systems. By visualizing the result of the controls, they knew what was needed to be done to satisfy the security needs.
CyDig is a set of controls that runs in a pipeline, which then uploads the result to a dashboard. The controls is in the set of quantitative assurance, described in an earlier post. A view of a team’s dashboard can be seen below where the result of the controls is either on a team level or on a code repository level. The result of the controls is evaluated together with a set of requirements, and if the security need is met or not is shown by different colors.
During my AMP I will try to identify new controls that are technically implementable to increase the level of confidence that system security needs are fulfilled. I will go through some regulations (e.g. Cyber Resilience Act) to identify security requirements and pair them with existing or new assurance controls.
AI and Assurance
AI is an uprising field where a lot is happening today and will continue to happen the coming years. We can already see that things we were doing manually yesterday, AI can do automatically for us today. I will during my AMP investigate how AI can help us do some of the work that is needed to fulfill our security needs. Can AI do threat modeling? Can AI do code reviews? Can AI review external components? And can we use AI as an assurance tool? These are some questions I will try to have answers to.
My Goal
My overall goal can be summarized as: Increase the assurance level in the software development lifecycle. In other words, help development teams and stakeholders to have confidence that the security needs of their systems are satisfied.
The main activities that will take me to the goal are:
Expand and improve the quantitative assurance model (CyDig).
Improve competence about how AI can be helpful when working with security and assurance.
Spread the knowledge about assurance, and the combination of secure development and AI.
I hope that I can contribute to a world where it is fun and easy to achieve secure by design!