Triple project success for Software Architecture Research Group (SWA)

In addition to the "AssureMoss" project, with a large European participation, "GECO", a collaboration with the technical and financial expert fiskaly, and "IAC2", with the University of Stuttgart, have been approved. The Faculty congratulates!

The research group Software Architecture (SWA) is headed by Prof. Dr. Uwe Zdun.


Duration: 01.10.2020 - 30.09.2023
Long title: Assurance and certification in secure Multi-party Open Software and Services
Applicant: Università di Trento
Project partners: SAP S.E., University of Gothenburg, EY Advisory, Delft University of Technology, THALES, Pluribus One, FrontEndART Software Ltd, European Virtual Institute for Integrated Risk Management, SEARCH Laboratory

Continuous, distributed changes rule today's European Digital Single Market as no single company does master its own national, in-house software. Software is mostly assembled from "the internet" and more than half come from Open Source Software repositories (some in Europe, most elsewhere). Security & privacy assurance, verification and process certification techniques designed for large, controlled updates over months or years, must now cope with small, continuous changes in weeks, happening in sub-components and decided by third-party developers one did not even know existed.
AssureMOSS addresses these challenges to the fullest extent: "Open Source Software - Designed Everywhere, Secured in Europe". AssureMOSS proposes to switch from a process-based to an artefact-based security evaluation by supporting all phases of the continuous software lifecycle (design, develop, deploy, evaluate and back) and their artefacts (models, source code, container images, services). The key idea is to support mechanisms for lightweight and scalable screenings applicable automatically to the entire population of software components by
Machine intelligent identification of security issues across artifacts,
Sound analysis and verification of changes by tracing the security and privay side effects,
Business insight by risk analysis and security evaluation.
This approach supports fast-paced development of better software by a new notion: continuous (re)certification. The project will generate not only a set of innovative methods and open source tools but also benchmark datasets with thousands of vulnerabilities and code that can be used by other researchers.

Further information:
Call: H2020-SU-ICT-2018-2020
Project page:



Duration: 12 months
Long title: Generic eFiscalisation in the Cloud for a wide range of organisations
Applicant: fiskaly GmbH

In the context of GECO we want to find a generic way to record process data correctly, completely and integrity protected in various applications, where the process data comes from unsafe environments. In the project we want to investigate the research questions which represent a large and unsolved challenge for cloud-based generic solutions of security systems, since it is still unclear which technical solutions are possible at all and whether they will be accepted in a foreseeable certification procedure, if feasible.

The following questions are to be examined in the project:

  1. which software architectures exist as solutions or which novel combinations of possible solutions are possible in this context;
  2. which characteristics distinguish these solutions with regard to compliance with existing documents on security systems (such as protection profiles issued by the BSI), which relationships they have with each other and which characteristics they have with regard to the desired system qualities of a cloud-based solution;
  3. whether and how the envisaged solutions can be realised within the framework of fiscal environments and modules;
  4. which solution approaches are covered by open source and/or commercial offers.

Additional information:
FFG Basic Programme
Project page:
Project partner website:


Duration: 01.12.2020-30.11.2023
Long title: Infrastructure-as-code Architecture Decision Compliance
Applicant: Research Group Software Architecture (Uwe Zdun)
Project partner: Universität Stuttgart

The project aims to reduce complexity and improve quality through rigorous laC ADD compliance specifications, and reduce risks and uncertainties by basing these specifications on established pattems and bad smells. Based on this foundation, it aims to provide means for precise identification of these pattems and bad smells in laC code and architectures, and to provide automatic detection in laC code and architectures. Together these contributions will enable improving quality through precise identification and automatic detection, and the reduction of risks and uncertainties by replacing manual processes, which also reduces the necessary costs and efforts especially in maintaining complex laC architectures. Finally, the project aims to provide novel means for continuously measuring and monitoring laC compliance improvements and degradations, thus enabling evidence-based improvement of the architecture. All project results will be evaluated in various empirical studies.

Additional information:
International programme - DACH: DFG Joint Project
Project page:
Project partner website: