Tools and techniques for collecting evidence of technical and organisational measures
22 Nov, 2022
By Anže Žitnik (XLAB)

The second version of the public delieverable Tools and techniques for collecting evidence of technical and organisational measures – D3.5 was released and submitted to the European Commission in October. Contributors to the deliverable are XLAB, Fraunhofer, and Fabasoft.

Building on the content of D3.2, this deliverable further focuses on the MEDINA tools for gathering of tehcnical and organisational evidence. These tools are the closest contact point of MEDINA with the Cloud Service Provider and provide the source for all further analysis of the certification.

The decribed tools are:

  • Clouditor: Fraunhofer’s tool that connects to the underlying cloud provider’s API, automatically and continuously detects resources used(such as virtual machines or databases) and analyses their configuration to evaluate potential security or compliance issues.
  • Wazuh: an open-source host-based intrusion detection system (IDS) that is installed on individual (virtual) machines in the CSP’s infrastructure and monitors their functions analysing anomalous behaviour or potential malware found and raises an alarm when a security issue is found.
  • Vulnerability Assessment Tools (VAT): a framework for vulnerability detection provided by XLAB, which incorporates multiple vulnerability scanning tools and periodically scans the configured targets (e.g. web servers) for vulnerabilities. It also contains functions that allow the users to use their custom scripts for assessments.
  • Codyze: an open-source static application security testing tool, provided by FhG. It analyses source code of applications to discover security flaws and report incompliances with standardisation requirements.
  • Cloud Property Graph (CloudPG): another tool provided by FhG that combines static source code analysis with cloud infrastructure analyses to determine compliance. CloudPG specifically addresses the possibility of technical measures (such as data encryption) to be implemented on the application level or on the cloud level.
  • Assessment and Management of Organisational Evidence (AMOE): a component developed by Fabasoft to extract evidence about organisational measures by analysing policy documents by using natural language processing techniques.

For all these tools, Deliverable 3.5 further describes their basic methodology, design and architecture, along with their implementation and integration states, internal structure, and how they interact with one another and the overall MEDINA framework. Links to their source code are also provided for the open-source components, as well as their installation and user manuals.

At this point in the project, the described tools satisfy most of their defined functional requirements. Some of the tools are also already fully integrated with the rest of the MEDINA components, while others are in the process of integration.

The third and final version of this deliverable (D3.6) will be released in April 2023, describing the final versions of the MEDINA evidence gathering tools.