The increasing prevalence of digital devices in all areas of life and the rapidly increasing number of attacks on such systems make robust security tests of these systems increasingly relevant. At the same time, the EU Cyber Resilience Act (CRA) increases the pressure on manufacturers to implement demonstrably effective security measures. From 2027, products with digital elements that come onto the EU market must meet basic security requirements and have structured vulnerability management.
Traditional testing methods often reach their limits here. They are often too isolated and do not provide consistent evidence of compliance and safety across the entire product lifecycle. In the European research project DOSS (Design And Operation Of Secure IoT Supply Chain), Fraunhofer FOKUS developed an integrated methodology that combines security analysis techniques and seamlessly integrates them into existing development and deployment processes.
Security testing is often considered a special discipline alongside classic test automation. A new methodology automatically integrates static and dynamic security tests, reduces false positives and checks patches for completeness before release. The article describes the methodology, which is independent of specific tools and was developed and validated by Fraunhofer FOKUS in the DOSS project.
The approach combines static and dynamic analysis techniques and uses AI to identify vulnerabilities at an early stage and verify them in a targeted manner. In addition, dynamic analyzes are used to validate security patches, which are particularly relevant for meeting CRA requirements. The results are prepared in machine-readable form so that they can be reused as part of supply chains and certification processes.
That was the reading sample of our heise Plus article “Automating security tests: From code analysis to patch validation”. With a heise Plus subscription you can read the entire article.
