AssureMOSS · Project

Automated Security Screening and Certification for Open Source Software Supply Chains

digitalTestedTRL 5

Most software today is built like a LEGO set — assembled from thousands of open source pieces written by people you've never met. The problem is, any one of those pieces could have a security hole, and checking them all manually is impossible. AssureMOSS built tools that automatically scan these software building blocks for vulnerabilities, trace security risks when code changes, and give you a continuous "health certificate" for your software — like a food safety label, but for code.

By the numbers

consortium partners across academia and industry

countries represented in the consortium

54%

industry participation ratio in the consortium

working demo prototypes delivered

total project deliverables

4,689,425

EUR in EU funding invested

thousands

vulnerabilities in benchmark datasets for testing

The business problem

What needed solving

Companies today ship software assembled from hundreds or thousands of open source components, many maintained by unknown third-party developers. Every update to any component could introduce a security vulnerability, but manual security reviews cannot keep pace with continuous deployment cycles. Organizations face growing regulatory pressure to certify their software supply chains, yet current certification methods were designed for slow, controlled release cycles — not today's reality of weekly or daily updates.

The solution

What was built

The project delivered 9 working prototypes: a model validation tool for tracing security properties to code, a qualification and certification system for deployed services, a state machine learner for runtime monitoring, an integrated tool chain for delta evaluation of source code changes, an indicator-based risk assessment tool, a runtime access control system that detects and isolates anomalous components, a final integrated risk assessment and evaluation pipeline, a security analytics dashboard with resilience indicators, and a machine learning-based detector for model extraction attacks. All backed by benchmark datasets containing thousands of real vulnerabilities.

Audience

Who needs this

CISOs and security teams at companies with heavy open source dependencySoftware development companies needing continuous security certification for CI/CD pipelinesFinancial institutions under regulatory pressure to prove software supply chain securityCritical infrastructure operators (telecom, energy, defense) requiring component-level certificationDevSecOps teams at mid-to-large enterprises struggling with dependency vulnerability management

Business applications

Who can put this to work

Financial Services & Banking

enterprise

Target: Banks and fintech companies using open source components in customer-facing applications

If you are a financial services company dealing with regulatory pressure to prove your software supply chain is secure — this project developed an integrated tool chain for delta evaluation and risk assessment that automatically screens open source components for vulnerabilities. With 13 partners across 7 countries building and testing these tools, the results are designed for real enterprise environments like yours.

Software Development & SaaS

any

Target: Software companies shipping products built on open source dependencies

If you are a SaaS company struggling to keep up with security reviews every time a third-party library updates — this project built prototypes for continuous recertification that trace security side effects of code changes automatically. Instead of manual audits that slow your release cycle, these tools screen your entire population of software components using machine learning to identify security issues across artifacts.

Critical Infrastructure & Defense

enterprise

Target: Companies in telecommunications, energy, or defense that must certify software before deployment

If you are an infrastructure operator required to certify every software component before it goes live — this project developed a qualification and certification prototype for deployed services, plus run-time access control that detects anomalous components and automatically isolates them. These tools were built with input from large enterprises like SAP and Thales who face the same certification demands.

Frequently asked

Quick answers

What would it cost to implement these security screening tools?

The tools and benchmark datasets are released as open source, so there is no licensing fee for the core technology. Integration and customization costs would depend on your software stack and scale. The project was funded with EUR 4,689,425 in EU contribution across 13 partners over 3 years.

Can these tools handle enterprise-scale software with thousands of dependencies?

Yes, the tools were specifically designed for scalability. The project objective states they support 'lightweight and scalable screenings applicable automatically to the entire population of software components.' The tool chain was tested in pilot tasks within the project.

What is the IP and licensing situation?

The project committed to generating open source tools and benchmark datasets with thousands of vulnerabilities and code for use by other researchers and practitioners. However, some prototype components have intellectual property management provisions noted in the deliverables, so specific licensing terms may vary by tool.

How mature are these tools — are they production-ready?

The project delivered 9 demo prototypes and 33 total deliverables, including a final integrated tool chain for risk assessment and delta evaluation. These were tested in pilot tasks. However, they are research prototypes, not commercial products — expect integration work before production deployment.

Does this work with our existing CI/CD pipeline?

The tools are designed around continuous development and deployment workflows. The delta evaluation tool chain specifically targets changes in source code and container images during the software lifecycle. Based on available project data, integration with standard CI/CD systems was a design goal but specific platform compatibility would need to be verified.

What standards or regulations does this help us comply with?

The certification scheme was designed to support security evaluation and process certification for software assembled from open source components. This is directly relevant to upcoming EU regulations like the Cyber Resilience Act and existing standards for software supply chain security. The project included EU-VRi, a special interest group focused on risk and certification standards.

Who built this and can we get support?

The consortium includes 5 leading universities (Delft, Gothenburg, Trento, Vienna, VU Amsterdam), 3 large enterprises (Ernst & Young, SAP, Thales), 3 SMEs (FrontEndART, Search-Lab, Pluribus One), and EU-VRi. The coordinator is University of Trento in Italy. Post-project support would likely come through the SME and industry partners.

Consortium

Who built it

This is a strong, industry-oriented consortium with 13 partners from 7 European countries and a 54% industry ratio — well above average for research projects. The mix is notable: 3 heavyweight enterprises (Ernst & Young, SAP, Thales) bring real-world software supply chain challenges, while 3 specialized SMEs (FrontEndART, Search-Lab, Pluribus One) bring focused security tooling expertise. Five top-tier universities (Delft, Gothenburg, Trento, Vienna, VU Amsterdam) provided the research muscle. EU-VRi adds certification and standards credibility. For a business looking to adopt these tools, the presence of SAP and Thales as partners signals the tools were tested against enterprise-grade requirements, not just academic scenarios.

UNIVERSITA DEGLI STUDI DI TRENTOCoordinator · IT
PLURIBUS ONE SRLparticipant · IT
STICHTING VUparticipant · NL
UNIVERSITAT WIENparticipant · AT
THALES SIX GTS FRANCE SASparticipant · FR
TECHNISCHE UNIVERSITAT HAMBURGparticipant · DE
SAP SEparticipant · DE
EY ADVISORY SPAparticipant · IT
SEARCH-LAB BIZTONSAGI ERTEKELO ELEMZO ES KUTATO LABORATORIUM KORLATOLTFELELOSSEGU TARSASAGparticipant · HU
STEINBEIS EU-VRI GMBHparticipant · DE
GOETEBORGS UNIVERSITETparticipant · SE
TECHNISCHE UNIVERSITEIT DELFTparticipant · NL
FRONTENDART SZOFTVER KFTparticipant · HU

How to reach the team

The coordinator is University of Trento (Italy). SciTransfer can help you reach the right person on the research team.

Order a report on this consortium See UNIVERSITA DEGLI STUDI DI TRENTO profile →

Next steps

Talk to the team behind this work.

Want to know if AssureMOSS tools fit your software security needs? We can arrange a direct conversation with the team that built them.

Order a report on this topic More in Digital & ICT