Many potential security vulnerabilities exist and are known to security experts. But developers often fail to avoid these vulnerabilities: the same mistakes are repeated over and over again. The core reason for this is that information on vulnerabilities is not available to developers in a form conveniently accessible to them while they work on software design and development.

At the same time there is an increasing desire amongst software developers, their customers, and society at large to avoid security vulnerabilities.

The main objective of SHIELDS is to bridge the gap between security experts and software developers and thereby reduce the occurrence of security vulnerabilities. The project will:

• Make it easier and faster for security experts to make information about identified security vulnerabilities known to the developer community, in a form directly accessible via widely used design and development tools.
• Help individual developers to detect and remove security vulnerabilities from directly within the development tools they normally use.
• Increase awareness amongst developers about known security vulnerabilities.
• Help software development organisations to verify (internally and to their customers) that they have successfully reduced security vulnerabilities in their products.

The approach to achieve these overall objectives centres on developing and integrating leading edge research on formal security models and techniques for detection of security vulnerabilities made accessible by the project's Security Vulnerabilities Repository Service (SVRS). This internet-accessible service will provide a standardised way for security experts to represent and publish formalised vulnerability models that are easily accessible by development and security tools, providing the latest security information right at the fingertips of the developers.

The SVRS will be supported by a set of security tools to be developed in the project (partially based on existing tools owned by partners) to allow security experts to create and/or edit models of vulnerabilities and publish these in the SVRS and:

• Assist developers to detect instances of security vulnerabilities modelled in the SVRS in their designs and source code using: automated techniques that analyse source code etc.; manual inspection techniques; both static (source code based) and dynamic (testing/monitoring based) techniques.
• Assist developers to remove vulnerabilities by providing them with precise, customised instructions (linked to the analysis that took place during detection), and automatically checking for their successful removal.
• Gather metrics within an organisation about vulnerabilities detected and removed (to aid internal process improvement initiatives).
• Provide advice to developers about the extent to which designs and source code conform to security policies.

The SVRS will provide an open interface to allow different development tools to be interfaced to it, enabling tools to stay up-to-date with the latest security knowledge. A SHIELDS Compliant programme will be set up in the project to assist tool developers who want to interface their tools to the SVRS.

To help development organisations demonstrate externally that known security vulnerabilities are not present in their software, a SHIELDS Verified certification programme will be developed. This will define the quality processes and mechanisms by which organisations can be granted a widely accepted certificate.

As a part of the project, the SHIELDS Guide will be developed that explains how:

• Existing development processes (e.g. Agile, RUP) can apply and benefit from the SHIELDS tools and methods.
• An organisation can measure and verify security improvements.
• How security and development tools outside of the project can integrate SHIELDS by using the architectural framework and become compliant.