Call for Volunteers

The EUCC ISAC Software Technical Group is launching its activities and invites volunteers to participate in its activities that will be operated through subgroups.

The Technical Group focuses on evolving methods and tools for security evaluation of software products at AVA_VAN.3, AVA_VAN.4 and AVA_VAN.5 levels.

The Working Group aims to develop and maintain three living documents:

  • Attack Methods
  • Attack Potential
  • Minimum ITSEF Requirements

These documents are intended to harmonize evaluation approaches, increase consistency, and adapt to emerging threats and evolving standards.

 To support the development of the three deliverables, three non-disjoint sub-groups are proposed, working in parallel and synchronising through plenary meetings.

Registrations are open until 3 July 2026 EoB.

Sub-group activities are expected to begin in September 2026, with monthly meetings organised for each sub-group.

Sub-Group 1: Attack Methods

This sub-group will contribute to the development of a structured catalogue of attack methods applicable to the security evaluation of software products.

Topics proposed for consideration include:

  • Existing standards and knowledge bases, including MITRE EMB3D, MITRE ATT&CK, ISO/IEC 25010, OWASP ASVS, OWASP MSTG, NIST SP 800-115 and CIS Benchmarks
  • Categories of threats and controls
  • Testing approaches such as SAST, DAST, IAST, SCA, Secret Scanning, Docker Security, Kubernetes Security, VM and Container Image Security, TLS/SSL Security Scanning, Platform Security Scanning and Hardening Audits
  • Assumptions relating to the Trusted Computing Base, Roots of Trust and users
  • Methodologies for the use of AI frameworks in software evaluation

Sub-Group 2: Attack Potential

This sub-group will contribute to the development of a reference defining factors influencing attacker capability.

Topics proposed for consideration include:

  • Elapsed time
  • Expertise
  • Knowledge of the TOE
  • Window of opportunity
  • Equipment
  • Replicability
  • Risk assessment considerations
  • Vulnerability handling
  • Assumptions relating to update capabilities
  • Handling of vulnerabilities highlighted by AI frameworks

Sub-Group 3: Minimum ITSEF Requirements

This sub-group will contribute to defining minimum expectations for ITSEFs conducting software security evaluations.

Topics proposed for consideration include:

  • Competency requirements
  • Tooling and infrastructure
  • Methodology coverage
  • Evidence handling and reporting
  • Reverse engineering
  • Fuzzing
  • Semi-formal methods
  • Formal methods
  • Certifications of evaluators
  • Access to and use of AI frameworks

Registration

The Technical Group is currently operating in pilot mode. Participation is open to interested experts and organisations, and EUCC ISAC membership is not required at this stage.

Following adoption of the Mission Statement and Terms of Reference (ToR), participation shall be formalised through EUCC ISAC membership.