“Continuous Compliance Data Science for Software Systems”
K. Kontogiannis (PI)
Dept. of Computer Science
Large software systems encompass complex interactions among their components and are subjected to frequent maintenance activities applied in order to fix bugs, add new functionality, port to new platforms, or interoperate with other systems. An important aspect to consider, is how such maintenance activities can be achieved in a way that first minimizes the risk of failures, and second how these maintenance activities can be integrated in a continuous deployment (CD) / continuous integration (CI) DevOps process. One major aspect on achieving this objective is to identify and remediate early on, possible vulnerabilities which are manifested as violations of known published controls. The solution to this problem is even more important for large scale systems such as federal enterprise information systems. More specifically, a key part of the certification and accreditation process for federal information systems is selecting and implementing a subset of the controls (safeguards) from the Security Control Catalog (see NIST 800-53 vulnerabilities controls list).
This project aims to develop novel technologies for evaluating and assessing the level of compliance in such systems in a way that conforms with CD/CI practices and guiding the resolution or mitigation of non-compliance findings.