In-depth and effective software testing

<div><p>Thorough testing is essential for secure software, but in practice it is often complex and labour‑intensive. As a result, testing tends to focus on expected behaviour - the “happy flow” - leaving unexpected errors and vulnerabilities undetected. Automated testing techniques address this gap. TNO develops testing methods that analyse software deeply and efficiently, including fuzzing, Software Composition Analysis (SCA) and Dynamic Application Security Testing (DAST).</p><h4 id="h75de485c-f267-4712-ad08-711223679527">Fuzzing</h4><p>In particular, fuzzing offers strong potential. By exposing software to unexpected or random input, errors and vulnerabilities surface quickly. However, the barrier to adoption is often high: configuring tools and interpreting results require specialist expertise.</p><p>TNO lowers this barrier through innovations that:</p><ul> <li>simplify the use and configuration of fuzzing tools;</li> <li>automatically filter and categorise test results;</li> <li>leverage software knowledge to enable more targeted testing;</li> <li>integrate fuzzing into existing development and testing processes.</li> </ul><p>This makes deep testing accessible and practical for development teams and manufacturers.</p><h4 id="h9efc8f2b-2d21-47a1-aa56-9867d79732db">Combining static and dynamic testing</h4><p>Fuzzing is a form of dynamic testing, where software is executed during analysis. When combined with static testing techniques that analyse code early in the development phase, it forms a powerful testing regime. Smart combinations of these approaches detect errors sooner and reduce remediation time and costs.</p><p>Explore which <a href="https://publications.tno.nl/publication/34642661/7OyCa9Lp/TNO-2024-M10313.pdf" class="importLink">methods and tools (pdf)</a> can be used for software testing, and the specific value each provides.</p></div>

Software & System Security

Thema:: Cybersecurity

Cyber attacks are becoming more sophisticated, software is growing ever more complex, and regulations are tightening. As a result, secure by design is no longer a nice-to-have but a prerequisite for reliable software and systems. Yet many organisations still see cybersecurity by design as complex, time‑consuming or expensive. It doesn’t have to be.

Making secure by design practical

Cybersecurity is rapidly becoming a decisive quality parameter. The challenge is to integrate security seamlessly into design and engineering processes without overburdening teams or slowing down time to market. At the same time, organisations want assurance that their investment will continue to deliver value.

We make secure by design practical – including legacy software and systems. Together with partners, we develop proof of concepts tailored to specific customer environments. This enables product and system developers to embed secure‑by‑design principles more effectively in their engineering processes and apply relevant technologies throughout every development phase.

Product security across every development stage

Secure by design does not stop at the design phase. Embedding security and testing across the entire software development lifecycle (SDLC) significantly improves quality. Early security measures combined with in‑depth testing not only protect against cyber attacks, but also enhance system stability and reliability. This reduces both vulnerabilities and unintended failures.

Thorough testing is essential for secure software, but in practice it is often complex and labour‑intensive. As a result, testing tends to focus on expected behaviour - the “happy flow” - leaving unexpected errors and vulnerabilities undetected. Automated testing techniques address this gap. TNO develops testing methods that analyse software deeply and efficiently, including fuzzing, Software Composition Analysis (SCA) and Dynamic Application Security Testing (DAST).

Fuzzing

In particular, fuzzing offers strong potential. By exposing software to unexpected or random input, errors and vulnerabilities surface quickly. However, the barrier to adoption is often high: configuring tools and interpreting results require specialist expertise.

TNO lowers this barrier through innovations that:

simplify the use and configuration of fuzzing tools;
automatically filter and categorise test results;
leverage software knowledge to enable more targeted testing;
integrate fuzzing into existing development and testing processes.

This makes deep testing accessible and practical for development teams and manufacturers.

Combining static and dynamic testing

Fuzzing is a form of dynamic testing, where software is executed during analysis. When combined with static testing techniques that analyse code early in the development phase, it forms a powerful testing regime. Smart combinations of these approaches detect errors sooner and reduce remediation time and costs.

Explore which methods and tools (pdf) can be used for software testing, and the specific value each provides.

Security demands continuous attention throughout the SDLC. DevSecOps embeds security structurally into development and delivery processes. TNO researches and develops proof of concepts for automated security controls within CI/CD pipelines, with a strong focus on practical effectiveness: what works in production environments and how it fits existing processes.

Modern software is built from third‑party components. Transparency across the supply chain is therefore essential. A Software Bill of Materials (SBOM) provides insight into dependencies and vulnerabilities and forms the foundation of a secure software supply chain.

TNO supports organisations in creating and applying SBOMs and develops practical knowledge and guidelines. In collaboration with the Dutch National Cyber Security Centre (NCSC) of the Ministry of Justice and Security, TNO publishes a series of papers to help organisations develop and implement SBOMs. Download the SBOM: What, why and how, starterguide.

Systems with stringent reliability requirements – such as those used in national security or critical infrastructure – demand additional assurance. Formal verification makes it possible to prove the absence of errors and vulnerabilities mathematically. TNO has deep expertise in applying these techniques to complex, safety‑critical systems.

Sector-specific solutions

Secure‑by‑design practices vary by sector, depending on the software systems in use and their specific security requirements and objectives. Operational technology (OT) systems, such as those in the energy domain, must be optimally secured for safety reasons, but also to maintain public trust in critical technologies. This means zero tolerance for outages and the highest levels of reliability.

Manufacturers of critical industrial products depend heavily on external suppliers and require maximum availability to remain competitive. Governments and other public‑sector organisations must be able to rely on the security of their systems and increasingly require mathematically proven integrity and confidentiality.

TNO develops solutions aligned with sector‑specific risks, regulations and operational environments, combining technological depth with practical applicability.

Building secure software and systems today

Whether developing new software or securing existing systems, secure by design forms the foundation for long‑term digital trust. We develop the technologies, methods and frameworks that embed security structurally and make it demonstrable. This enables organisations to build secure systems today that remain reliable tomorrow.

Contact us

Skip navigation (Contact us)

Eduard Hoekx

Functie:
Senior Business Manager Cybersecurity
Eduard Hoekx has a track record of over 25 years in (cyber)security, including as strategist and head of the security lab at a major telecom operator. At TNO, Eduard is responsible for converting (cyber)security innovations into useful and impactful applications for an increasingly digitalizing society.

More about Eduard
- Standplaats:
  Den Haag - New Babylon
- Email:
  Email Eduard
Thomas Rooijakkers

Functie:
Cyber Security Researcher
Thomas Rooijakkers, a cybersecurity researcher at TNO, is dedicated to improving software quality and security. As Lead Scientist, he integrates cybersecurity into product development, creating resilient cyber-physical systems. In his role as Interim Portfolio Manager, he strategically guides TNO’s cybersecurity portfolio, driving innovative, secure solutions for industry and accelerating the digital transition.

More about Thomas
- Standplaats:
  Den Haag - New Babylon
- Email:
  Email Thomas

Back to navigation (Contact us)

Get inspired

30 resultaten, getoond 1 t/m 5

Province Noord-Brabant, TNO and partners join forces on cybersecurity

Informatietype:: News

28 January 2026

The Province of Noord-Brabant, TNO, BOM, Brainport Development, Avans, TU/e and a broad coalition of partners are launching the Brabant House of Cyber.

over Province Noord-Brabant, TNO and partners join forces on cybersecurity