IBM Canada
“Continuous Compliance Data Science for
Software Systems”
K. Kontogiannis (PI)
Dept. of Computer Science
Western University,
Large software systems
encompass complex interactions among their components and are subjected to
frequent maintenance activities applied in order to fix bugs, add new
functionality, port to new platforms, or interoperate with other systems. An
important aspect to consider, is how such maintenance activities can be
achieved in a way that first minimizes the risk of failures, and second how
these maintenance activities can be integrated in a continuous deployment (CD)
/ continuous integration (CI) DevOps process. One major aspect on achieving
this objective is to identify and remediate early on, possible vulnerabilities
which are manifested as violations of known published controls. The solution to
this problem is even more important for large scale systems such as federal
enterprise information systems. More specifically, a key part of the
certification and accreditation process for federal information systems is
selecting and implementing a subset of the controls (safeguards) from the
Security Control Catalog (see NIST 800-53 vulnerabilities controls list).
This project aims to develop
novel technologies for evaluating and assessing the level of compliance in such
systems in a way that conforms with CD/CI practices and guiding the resolution
or mitigation of non-compliance findings.