Open-Source SATCOM Security Audit Framework (OSSCAF) – From Vulnerability Detection to Mission Assurance

We are currently working on a core activity within the ESA Cybersecurity Makerspace (ESA 1-12146) that focuses on the security of open-source software in SATCOM infrastructure. As satellite systems become more software-defined, relying on open-source components is inevitable. However, we’ve found that reactive patching isn’t a sustainable solution for space missions. Instead, our team is piloting a systematic audit methodology designed to identify and assess these challenges before they reach orbit.


Our framework, OSSCAF, doesn’t try to replace established standards like NIST, OWASP, or CVSS. Instead, it pulls them together and adds space-specific intelligence from SPARTA and ESA Space Shield. We’ve developed 16 criteria across five key domains, including memory safety and supply chain integrity, to evaluate software maturity. By using common CWE taxonomies, we can cross-reference findings and validate vulnerabilities against independent severity estimates. This gives the European space community / ecosystem a repeatable audit toolkit rather than just a one-off report.


We are currently testing this approach on the GODOT project. This pilot has been a reality check for the methodology, especially in highlighting the difference between a simple vulnerability and what we call systemic weakness within the project context. We’ve seen that while automated tools are good at finding code flaws, they often miss deeper design weaknesses like numerical computation errors or telemetry buffer issues. These are the kinds of problems that are critical to a mission’s success but are invisible to standard scanners.

One of our main goals is to move away from the idea of temporary code patches. Maintaining a fork of open-source code for every mission is a huge maintenance burden. Instead, our applied framework activity produces hardening blueprints. These are version-agnostic remediation strategies and secure coding guidelines that ESA can apply even as the software evolves. In short, we’re aiming for a practical audit toolset that helps the SATCOM community use open-source innovation safely, without compromising mission integrity.  

Beitrag veröffentlicht

in

von

Elin Böhm

Schlagwörter: