Integrating advanced security certification and policy management

Recent models of software provisioning based on cloud architectures co-exist and interact with in-premises large and heterogeneous software ecosystems. In this increasingly complex landscape, organizations and users are striving to deal with assurance in all phases of software life cycle: acquisition, installation, use and maintenance. In this paper, we start by describing the notion of machine-readable security certificates, and discuss how they can be used for assurance-based software selection. Then, we introduce some models and tools for administrators for the automatic management of security policies, which include policy conflict detection. Finally, we discuss how these two approaches can be integrated for supporting organization to (semi-) automatically address the security requirements throughout the entire software life cycle.