Together with six partners, DTU Compute will help Danish software companies to think about IT security in product development, right from the beginning.
Our digital life is amazing. We can shop online, open the front door with our phone and track when and where we go running. We are used to having our information in the cloud with access 24/7. However, all that convenience requires cyber security of the highest quality to secure no one can misuse it. At the same time, the EU imposes increased legal requirements on the security and protection of personal data. IT security is therefore becoming a growing competitive parameter for companies.
However, a study has shown that small and medium-sized companies in Denmark lack knowledge about cyber security. Instead of developing secure applications from the ground up, they need to hire consultants later to help with the IT security of their products. This put danish companies at a disadvantage on the international market.
For the next three years, the section for Formal Methods at DTU Compute and six other partners in the project “Sb3D – Security by Design in Digital Denmark” with support from Industriens Fond will help Danish companies to integrate security in the way digital solutions are designed, created and maintained.
“Leading companies such as Microsoft, Facebook, Amazon and NASA use advanced methods and tools to design highly secure and reliable software systems and solutions. While using such tools can feel like cracking a nut with a sledgehammer for a small Danish company, most can easily be adopted” says Alberto Lluch Lafuente, associate professor and section leader for Formal Methods.
“By thinking security in, from the start, it will be much easier for companies to assess their needs, and we can help them find or develop tools that fit their level,” he says.
20 business demo cases
There is a big difference in the requirements for the level of IT security in companies. In the project, DTU and the partners, therefore, want to show how smaller companies can implement cyber security relatively easily and cheaply in the design of their products. The project also wants to disseminate the tools that provide the highest levels of security for companies that, for example, work in critical national infrastructures such as the hospital system, emergency services and utilities.
The researchers will also visit 20 companies to learn their workflow and thereby see how IT security can be built into the development of new products and services without major changes in current processes.
In addition, a panel of companies will advise researchers along the way.
“It has to be as realistic as possible for the companies. For, of course, we cannot advise them to completely dismantle the way they work today. We need to find ways to easily integrate advanced IT security solutions without completely disrupting their processes, “says Alberto Lluch Lafuente.
He points out that the project partners complement each other well. The section for Formal Methods works with applying and developing advanced solutions based on computer science, mathematics and logic to reach the highest levels of IT security. While the other partners have extensive experience in improving and adapting software development processes.
Masterclass and networking groups
The knowledge sharing will take place through written material, masterclasses and workshops to let the individual employee learn to think about IT security in product development, operation and maintenance of products and services.
Through network groups divided by industries and topics, companies can share knowledge and experiences with each other even after the project is over.
In addition, the partners will investigate whether Denmark can create a labeling scheme for “Security by Design” with software products and services that meet the authorities’ rules for cyber security.
“In this way, people will be able to choose it-products and -services in the same manner we choose ecological or ethical products in the supermarket,” says Alberto Lluch Lafuente.
Security by Design in Digital Denmark
- Three-year project, where six project partners collaborate to help and train Danish companies to think security into the entire design process with software development.
- The concept is called Security by Design (SbD). The concept integrates security in the way the digital solutions are designed, created and maintained.
- Participants: DTU Compute – section Formal Methods, Department of Computer Science at Aalborg University, The Danish Chamber of Commerce – Dansk Erhverv, Confederation of Danish Industry – Dansk Industri, Erhvervshus Midtjylland, Alexandra Instituttet (project lead), and The Danish Industry Foundation – Industriens Fond.
- Budget: DKK 10.4 million from the cyber security program at The Danish Industry Foundation
- Note: DTU’s master program ‘Safe and Secure by Design’ also focuses on a number of the proactive methods and techniques that internationally leading software and hardware companies use to design secure and reliable software systems and solutions.
Sources: Alexandra Instituttet and The Danish Industry Foundation