Interview with Lëtzebuerger Gemengen, translation by itrust consulting.
As the threat of cyber-attacks increases, cybersecurity experts are increasing their innovation capacity to protect public and private data as effectively as possible, which is done in the CyFORT project. We spoke to its creators, Carlo Harpes and Arash Atashpendar, Managing Director and CTO/Head of R&D respectively at itrust consulting and itrust Abstractions Lab.
Can you present us CyFORT?
Carlo Harpes: CyFORT is a research project aiming at developing a series of open-source cybersecurity tools, also suited to Cloud Computing. CyFORT stands for “Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience”. This work is part of a collaboration with European and local partners, and the results of the project will be published and made freely available to interested parties. Our solutions will help to improve the security of an organization and of a product thanks to open source tools and standards-aligned methods.
Arash Atashpendar: CyFORT targets both public sector institutions and private sector companies that want to improve their software development lifecycle processes, integrate information security and risk analysis methodologies into their organization, and secure their infrastructures, tools and products.
What exactly is meant by "open source"?
Carlo Harpes: As the name suggests, the source code is made available to the public via open access platforms. This allows development to continue in a collaborative way. Anyone can study the code, modify it and distribute it freely, while respecting a few criteria set out in the licences. In this way, anyone can study our solutions without depending on us, or on any third-party platform, and can continue to improve them.
Arash Atashpendar: We also use open source solutions to create increasingly efficient, transparent and flexible tools. Used in sometimes critical areas, these three virtues are more than necessary. As mentioned, the source code for our tools will be published using free or open distribution software licences, and will be made available.
How do you conceive such a project?
Arash Atashpendar: We recycled good and bad experiences from previous research projects: in CRITISEC, we designed an intrusion detection solution that proved to be ineffective because the underlying algorithms developed as part of a thesis proved insufficient in our tests. In addition, multiple industrial software development projects have enabled us to define the need for structured documentation of security requirements, their implementation and verification.
Carlo Harpes: We created a spin-off from itrust’s R&D activity, called “itrust Abstractions Lab”, a separate structure that allows us to focus more closely on our research and development pillars, such as artificial intelligence and cryptography. But we had conceived this project, we had to overcome the challenge of restructuring it and adapting it several times to the requirements for co-funding.
Can you tell us more about these new products?
Carlo Harpes: One of the work packages is designing CS-GRAM, “Cloud Services – Governance, Risk management, Audit, and Monitoring”, a series of tools to support the CISO: OpenAriana helps to write security policies and procedures. By structuring information that generally comes from ISO standards, combining it and customizing it according to a company’s needs, it generates policies in the format desired by the customer, and templates to document observations and decisions of an auditor. draw.trickservice.com can be used to draw dependencies between assets and model risk propagation. TRICK generates risk reports in the format required by regulators and in formats that can be read by management.
The following players have already benefited from these tools: Cebi, Creos, Encevo, enovos, LuxMetering, the Grand-Ducal Police, SUDenergie and numerous local authorities.
One successful challenge was to submit risk analyses in the format specified by the ILR regulator in Regulation ILR/N22/7 of 15 September 2022 (a JSON format that was complicated to read), constrained by a tool that had no facility for injecting the parameters that the regulated operators already had in Excel format. Despite the difficulties, ILR received risk analyses in the desired format prepared by the CyFORT tool.
Arash Atashpendar: The second tool is called C5-DEC, which stands for “Common Criteria for Cyber Security, Cryptography, Clouds – Design Evaluation and Certification”. The software component of C5-DEC and its knowledge bases provide a coherent set of tools for the secure software development lifecycle. It also enables the security of IT systems and software to be assessed impartially according to the Common Criteria (CC), an internationally recognized set of standards (ISO 15408). Our tool simplifies these complex and costly processes, making them more accessible and efficient. One of its strengths is that it can be customized. This also gives assessors the assurance that products are compliant. The first version will soon be published as an open source tool, and has already been used in the context of a project for a public sector customer, as well as in research projects for the European Commission and the ESA, among others.
What specific challenges do these solutions address?
Carlo Harpes: We’ve noticed that a lot of companies have problems managing IT development projects, particularly because projects are not sufficiently documented. Our solutions make it possible to read a product like an open book, well aligned with the standards. They clearly specify the data linked to the product applicable, structure them and therefore ensure security in the development and implementation process. Thus, they provide our customers with a very rigorous process for creating well-documented products.
Arash Atashpendar: Imagine you’re interested in a chat tool into which you can slip a message that will be shared in encrypted form. Thanks to our solution, you will be able to test this tool, but also obtain all its specifications to ensure that the promise is kept, that the tool is secure, that the message is encrypted with the agreed algorithms and keys. You’ll be able to read everything the tool does, how it does it, what components are involved, what source code is used, etc. This is an enormous gain in time and security for both the next generation of developers and for testers of the software.