Automating Adherence to Safety Profiles After Fixing Vulnerabilities


Creating a critical safe or secure system generally comes down to two aspects. The system has to be able to meet the technical expectations to handle its criticality and there needs to be evidence these expectations are actually met. With today’s software systems being built by integrating various software components, more often using open source than custom proprietary solutions, it’s obvious that having complete and reliable evidence that the software is created with criticality considerations, such as safety profiles, in mind is key. Demonstrating the technical capabilities of a system to achieve the safety and security qualities can be done by established analysis methods. However, proving that its process provides the systematic evidence that all has been implemented, tested, built and configured as required, needs evidence of traceability from requirement to tests and release. Typically this evidence is locked within proprietary tools, never 100%, needing manual tasks to prove traceability between items. With continuous changes due to security updates or continuous deploys, managing this systematic evidence gets impossible. This video will present a model using SPDX, that allows for automated checks for integrity and availability of evidence to prove the systematic capability of software consumed by critical systems.