Based on the current state of affairs, and observed trends in regulations, technologies and geopolitics, the CEST Consortium agreed on the vision of building a Confidential Software Security Assurance environment meeting the following challenges:
- Intellectual property – Regulators should consider the software suppliers’ and vendors’ intellectual property (IP) concerns and formulate their regulations with considerations on protecting this valuable IP asset.
- Confidentiality – Regulated increased software exposure increases vulnerability risks since proprietary software may contain unknown vulnerabilities that powerful adversaries may discover and exploit as zero- day attacks. Regulated assurance shall consider the confidentiality concerns.
- Premises neutrality – The assurance frameworks should be neutral with respect where the actual software analysis assurance processes shall take place. Software suppliers and vendors should not be forced to conduct software analysis on pre-selected premises, jurisdictions, or environments, but instead different options should be available for vendors and evaluators to agree including vendor/supplier premises, evaluator premises, cloud services.
- Automation – Software analysis processes should adopt AI/ML technologies that reduce the human-factor dependency and subjectivism leading to impartial/unbiased assessments that increase the trustworthiness of the assessment results.
- Zero Trust (ZT) – The established praxis of implicit trust among several entities in the assurance ecosystem goes against the emerging security principle of ZT. We need to re-design software security assurance scheme that follow the ZT principles of verifiable trust and asset protection.
- Continuous ZT assurance – the current waterfall practice of submitting new software releases, or patched ones, for security assurance needs to be revised so that an incremental assurance process can be embedded in the software development process.