What are the software security implications of 5G?

Thierry Bonhomme, former CEO of Orange Business Services

Thierry Bonhomme is a renowned expert in the telecommunications industry, having served for over 30 years at Orange Group including most recently as CEO of their B2B branch until 2018 (Orange Business Services.) He was in charge of the development of the division that provides telecommunications and IT services around the world, and also held leadership roles related to research and development. He holds an engineering degree from the Ecole Polytechnique and Ecole Nationale Supérieure Telecommunications. Thierry Bonhomme has recently joined TrustInSoft as an independent board advisor in 2020.


In the next 2-5 years, what would be, in your opinion, the major, disruptive trends in the telecoms market?

The telecommunications industry is in many ways similar to other industries, in that the main trends seen in the rest of the industries exist also for telecommunications. However, nothing compares to the digital transformation taking telecom companies and their customers by storm.

This digital transformation, which is all about flexibility, adaptability, agility, and scalability, is profoundly changing industries, and particularly the mobile network operators, enabling them to become more efficient. This means being able to adapt strategies and executions to a very unpredictable and constantly changing environment, which is relatively new and valid more than ever today with the COVID-19 crisis. This digital transformation is built upon a collection of new technologies such as AI, IoT, Cloud, Analytics, and the modernization of the infrastructure. What makes things even more interesting for the operators is that they should try to support the digital transformation of their customers both in B2C and B2B. For B2C customers, this transformation is basically « more of the previous » so more bandwidth, more services. For B2B, the transformation is more impactful because it will require a lot of new skills and competencies mainly based on software development. And this is one of the challenges the operators will need to face, as they were previously specialized in hardware (like boxes and associated services).

The catalyst for this digital transformation is of course 5G. The public benefits are quite well known: drastically higher speed, capacity, and reliability/low latency. What is more known to the specialists is that 5G introduces a separation between control plan and data plan. Data circulates on very standardized infrastructures, whereas the control functions are completely softwarized and based on elements that could be virtualized and as well developed in what we call a cloud-native infrastructure, thus reducing the need for hardware.

“Software is eating the world,” said Mark Andreessen from Andreessen Horowitz, and the operators are discovering it is very true for them as well, while thinking their business could be protected by barriers to entry, like the cost of the infrastructure.
Technologies will be based on software development capacities as well as software-defined infrastructure and 5G which is combining more or less all the technologies I mentioned for digital transformation.

5G is supposed to generate many new use cases. Which would be the most impactful in your opinion?

One of the main differences between 5G and previous generations of cellular networks lies in 5G’s strong focus on machine-type communication and the Internet of Things (IoT). The capabilities of 5G thus extend far beyond mobile broadband with ever-increasing data rates. In particular, 5G supports communication with unprecedented reliability and very low latencies, and also massive IoT connectivity. This paves the way for numerous new use cases and applications in many different vertical domains.

But 5G answers first a basic challenge of the operators: in order to support the ever-increasing traffic in the mobile telecoms business, due to more and more content available, operators need to take action on three fronts: building new radio sites, acquiring new spectrum, and enhancing the technologies to make them more efficient in terms of bits per hertz per second / spectral efficiency. Content streaming, sharing, and deliverability are growing very fast, but spectrum is limited, and it’s difficult to increase the number of sites in a given city or developed country.

Coming back to what will change with 5G, there are three revolutionary transformations with 5G: mMTC (massive Machine Type Communications), URLLC (Ultra-Reliable Low Latency Communications), and eMBB (enhanced Mobile Broadband). Behind these complicated acronyms lie three topics:
mMTC is all about capacity for large amounts of machines and being able to manage many objects in a limited area. At its peak, 5G is supposed to support more than 1 million objects per square kilometer. For operators, this means they will be able to manage very large amounts of devices in a given area without degrading the quality of service.

URLLC is enabling ultra-reliable and low latency services. With less than 10 milliseconds latency, not detectable by human brains, industries will get an immediate response in automation, robotics, or medical use cases, which is not possible with current wireless solutions.

Finally, the eMBB functionality will allow up to 10 times more bandwidth than 4G and will provide services comparable to the fiber. Obviously this will help the consumption of content streaming or remote gaming services, in higher resolutions. This will also enable what we call fixed wireless access, which is the capacity in relatively isolated locations where you don’t have fiber to provide fiber-like bandwidth and services.

But the most disruptive implication of 5G is that operators will be able to adapt and dedicate services for specific clients or industries, what we call the verticals: agriculture, healthcare, education, automotive, transports, industry…. This is made possible with the virtualization of network services, edge computing, and network slicing.

Combinations of new standards within the 5G core network will allow interaction between partners, developers, industries, and the operators for developing new applications directly using the network-provided functions. This will provide many opportunities in the healthcare ecosystem, mission-critical world, and factory transformations. The combination of new technologies and initiative will give way to innovation, for example, the massive machine-type communication, leading to a transformation in manufacturing and production towards a more adaptable environment, known as Industry 4.0.

Do you think 5G will have a positive impact on the adoption of IoT and why?

Globally yes, as the value proposal of 5G is rather compatible with what the industry and factories need for their transformation. Many proofs of concept using limited volumes of IoT exist, but it’s not easy to generalize or transition to an industrialized solution and higher volumes, mainly due to the fact that. There are many players and stakeholders involved in the transformation, slowing things down a little.

The promise of IoT is billions of objects connected. I don’t think it will happen within the 5G technology; it is probably a topic for 6G future development, which will happen in 10 years from now. However, in the meantime, even with current 4G and coming 5G, there are still many things that could and need to be invented and provided, to accelerate the digital transformation of the world and will contribute to deploying large volumes of devices.

For 5G, do you think this software is more mission- or safety-critical, than previous software that we had on 4G networks?

Definitely yes! The service provided by 4G was not adaptable or tailored to specific services, users, or locations. You could only design specifications within the core network and that was it. It was one service for all, whatever the use case, client, or context.

With 5G and what is called “the slicing network services”, operators will be able to set up service, latency, throughput, resilience, availability, and reliability dedicated to specific clients, places, or use cases. Technically, it is possible by creating multiple virtualized and isolated logical networks over the same physical network infrastructure.

Moreover, “northbound APIs” exposed by network functions, allow end-user applications to interact with the network functions of the 5G network; for instance, for driving a robot, or Automated Guided Vehicles, or for driving supply chain, etc. It is this network slicing that allows very deep connections between software, which will be developed for the industry of the future, for factories, robots, etc, and 5G.

Of course, there is an impact on safety and security that are driven today mainly by functions separation. While efficient, this is not very flexible or adaptable to use case specifics. On the other hand, in 5G, with direct interaction between the application and network functions, safety and security requirements of these very critical applications are transferred to the end-users within the 5G ecosystem.

To ensure these safety and security requirements are met, it is essential to have direct and efficient interaction and convergence between software developers, to check and provide the verification and validation that what is developed matches the safety and security requirements of the industry and the 5G network.

With all this software becoming available in this 5G context, what would be some of the cybersecurity issues that could originate from devices or end-user applications and that could have negative consequences for 5G users?

One of the risks will be at the interface or interconnection between the 5G and end-user ecosystems that used to be separated. Physical separation was an efficient but very rigid solution for security. When you are trying to interconnect different elements such as 5G network functions with IT local area networks or with industry ERP with the REST APIs, you open the door to new risks. While efficient in terms of new development capacity, it raises the risk for one element to pollute the others, creating potential issues that did not exist with physical separation.

This risk requires a deeper investigation of the compatibility in terms of safety and security between the different contributions of these new services.

Another challenge to be addressed is the difference in managing software deployments.
Having 5G within a given factory means that you will have 5G connectivity modules within the equipment or objects. Frequently, in a mobile network context, you need to update them often to include new features or patch the firmware. But with frequent releases, you are interacting and changing lines of codes in the software of these 5G modules, which was not the case in the past. On the other side, in the industrial world, the components are very stable. The question here is how to manage and make these two previously-separated trends compatible? If there are more interventions, and code updates, there are more risks in terms of process control, including data leakage or other bugs.

According to you, what kind of changes should the equipment vendors make to adapt to these new constraints in developing software that is much more secure and safer?

Because of this new connection between networks and end-users, cooperation between ecosystems that were previously separated is absolutely essential. The capacity for different actors of the value chain to speak a common language, whether that’s between components providers, the machine builders, telecoms operation, IT developers, or system integrators, becomes critical.

Speaking a common language also means sharing testing and validation tools, for example, to address the safety and security topics and I see room for improvement here.
To achieve this cooperation, there is a need to launch very early joint projects based on testing. For example, initiatives such as joint testbeds, joint laboratories or projects could be efficient to take into account upfront and by design safety and security issues and end-to-end customer experience. This would allow developers to avoid working on those topics at the end of the process after realizing there are issues earlier in the code.

A last important challenge to tackle by the ecosystem is data sharing. I am referring to data that will contribute to the general interest and the development of the acceleration of the digital transformation. The ecosystem needs to agree on a common scope to share and use that data.

How do you see TrustInSoft’s contribution to help address the security challenges of 5G efficiently?

5G involves large quantities of software and code at all the stages of the ecosystem, northbound, southbound, and at the network layer.
TrustInSoft is already working with major telecommunication vendors to help them secure the source code behind the network functions.

However, with the massive machine type communication feature of 5G, there will be countless devices with embedded code and firmware, connected to the networks. TrustInSoft has an open window to strongly contribute here. With the mathematical guarantees on the robustness of that code, end-users will be reassured on the security and safety of those devices.

As “software is eating the world”, there will be more and more use cases that will leverage automation in connected factories or autonomous decision making – like in autonomous cars. It is more than ever essential to have a complete understanding and control over the software taking those decisions. Undefined behaviors cannot be tolerated as they can lead to dangerous behaviors or security risks. Trust In Soft’s code analyzer can ensure the absence of those behaviors, leading to 5G technologies being used in a secure way by the different industries.

Press Release

Paris, February 20th 2020


TrustInSoft cancels participation at the Embedded World 2020 Show in Nuremberg

Because health and well-being comes always first at TrustInSoft, Fabrice Derepas (co-founder and CEO at TrustInSoft) and Benjamin Monate (co-founder and CTO at TrustInSoft) made the prudent decision to cancel its employees’ participation to the Embedded World Show, in Nuremberg, from February 25th to February 27th 2020 due to the COVID-19 risk exposure.

This decision was made after closely observing and monitoring the situation following the spread of the coronavirus. Health and well-being of TrustInSoft’s employees and others is above all else.

TrustInSoft thanks the Nümberg Messe GmbH for their understanding. TrustInSoft apologizes to its customers, partners and prospects for not being present.

TrustInSoft encourages all the persons that intended to visit its booth to quickly get in touch to schedule a meeting.

TrustInSoft looks forward to attending Embedded World 2021.


Sales and press contact:


+33 7 69 84 46 04

TrustInSoft raises €5M to push into the self-driving car and IoT markets

Through its Brienne III cybersecurity fund –first of it’s kind in France– ACE Management leads this round followed by TrustInSoft’s longstanding shareholders, Idinvest Partners and business angels.

Paris, 4 November 2019 – TrustInSoft, a cybersecurity software publisher whose technology provides software code reliability and security, based on mathematical proof, announces a new round of €5M led by ACE Management, the European leader for private equity investment in cybersecurity. Building on its success in France and the United States, TrustInSoft’s next focus will be expanding its international presence.

Spun off from the French Atomic Energy Commission (CEA) under the leadership of Fabrice Derepas, Benjamin Monate and Pascal Cuoq, TrustInSoft is the first company to provide developers with guarantees of the quality of the code they produce, allowing “secure by design” developments to confirm critical code cybersecurity and secure operations without having to modify the development process.

TrustInSoft has been successful in rolling out its technology, and has built a solid base of reference customers in France and the United States, especially in the defence and nuclear industries. The company has also launched a freemium SaaS offer available to all GitHub developers in order to enable them to detect and remedy software development faults.

TrustInSoft is now expanding in two main areas: self-driving cars, and the internet of things (IoT). This €5M investment will allow the company to further penetrate these markets by rolling out a paying SaaS offer adapted to this environment, and structuring indirect sales channels through international partners. TrustInSoft is looking to capitalise on a scalable model by using dedicated open source platforms: Baidu’s Apollo for self-driving vehicles, and ARM Mbed for IoT projects. Combined with proven technological edge and a clear ability to apply its solution, this strategy should enable TrustInSoft to establish itself naturally as a key player.

“We are delighted to be welcoming some top new investors, and proud of the trust that our shareholders and clients are putting in our solution”, said Fabrice Derepas, CEO of TrustInSoft. “We have built a unique solution with a team of world-class experts, and this fundraising will allow us to continue our international growth and extend our technological progress to sharpen our competitive edge.”

“Factoring in security right from the design phase for critical embedded software is a major challenge to which TrustInSoft provides a user-friendly, scalable, ultra-hi-tech response that can be fitted into an industrial development cycle. We are delighted to be making our Brienne III fund’s first investment in TrustInSoft to back this brilliant team as it grows internationally”, said Gilles Daguet, General Partner of ACE Management.

“We are happy to be reaffirming our support for the TrustInSoft founders in this new and ambitious stage, for which ACE Management is the ideal partner. TrustInSoft has game-changing potential in the automobile and embedded software industries, allowing software publishers to demonstrate mathematically the reliability and strength of their code for the first time ever.” Louis Bô, Investment Manager at Idinvest Partners.

About TrustInSoft

TrustInSoft is a software publisher of a source code analyser that can provide mathematical guarantees as to the quality of the software and absence of weaknesses. With sales divided between Europe and the United States, and the biggest clients in Asia, the company hopes to transform the software market by testifying to product reliability and security. Already present in sectors where the software is critical, TrustInSoft is reaching a growing number of sectors in which cybersecurity is becoming a major concern.

TrustInSoft Press Contact:

Mahaut Gouhier
222 cour avenue du Maine
75014 Paris, France
+33 (0)7 69 84 46 04

About ACE Management

ACE Management (a subsidiary of Tikehau Capital) is a fund management company that, for 20 years, has been specialised in private equity to benefit innovation and industry. It manages three main product lines, representing more than €500M of investment: Aerofund (aerospace), Brienne (defence & cybersecurity) and Atalaya (shipping).The main investors in these funds are European industrial groups, institutional investors, and French regional governments. For more information: www.acemanagement.fr

ACE Press Contact:

Delphine Dinard
ACE Management
10 avenue de Messine
75008 Paris, France
+33 (0)1 58 56 25 68

About Idinvest Partners

With €8bn in assets under management, Idinvest Partners is a renowned mid-market private equity company in Europe. Idinvest Partners has developed various complementary fields of expertise: venture and growth capital for young and innovative European companies; mid-market private debt (single tranche, senior loans and subordinated finance); primary and secondary investments in unlisted European companies; and private equity consulting. Created in 1997, Idinvest Partners belonged to the Allianz group until 2010, when it became independent. In 2018, Idinvest Partners became a subsidiary of Eurazeo, one of the world’s leading investment companies, which directly and indirectly manages €17.7bn of diversified assets, with nearly €11bn of this total invested on behalf of third parties in a portfolio of more than 400 companies.

Idinvest Press Contacts:

Idinvest Partners
Marie-Claire Martin
Head of Communications
+33 (0)6 85 52 52 49

Steele & Holt
Claire Guermond
+33 (0)6 31 92 22 82


ACE Management:

Quentin Besnard – Partner
Stéphanie Hillard – Investment Director

ACE Management advisors:

Financial advisors: KPMG – Damien Moron
Legal advisors: Joffe & Associés – Thomas Saltiel and Charlotte Viandaz
Intellectual property advisors: Cabinet Benech    Frédéric Benech
Human resources advisors: Capic    Catherine Marechal

Corporate advisors:

Baker McKenzie – Antoine Caillard, Savéria Laforce and Gautier Valdiguie

Read full press release

Raphaël Rieu-Helft presented his paper at Oxford University

Our employee Raphaël Rieu-Helft attended the 9thInternational Joint Conference on Automated Reasoning, within the Federated Logic Conference at the prestigious Oxford University.

There, he presented “A Why3 framework for reflection proofs and its application to GMP’s algorithms” co-authored with Guillaume Melquiond from Inria. This framework makes it easier to write dedicated decision procedures that make full use of Why3’s imperative features and are formally verified. Raphaël uses it to formally verify GMP’s algorithms.

Have a look at his presentation here

As we are always striving for continuous scientific improvements, we are truly proud of Raphaël’s achievement.


Applying formal methods to existing software: what can you expect?

Our CTO Benjamin Monate giving a talk at the Sound Static Analysis for Security Workshop 2018 at the National Institute for Standards & Technology (NIST).

Applying formal methods to existing software: what can you expect?

Find the slides of Benjamin’s talk at the NIST here 

Formal methods-based source code verification tools have a very strong promise: mathematically prove that a piece of software is perfect. In some specific economic sectors, new languages have been adopted to help developers build perfect-by-construction software. But the vast majority of software is not perfect-by-construction and experience shows that it comes with tons of bugs. In this talk, Monate discussed what developers can expect from the application of formal methods-based tools to existing imperfect-by-construction code bases, what they should not expect, and how such tools will help make the software better and better by incrementally reducing its hidden technical debt.

This work has been supported by the Core Infrastructure Initiative of the Linux foundation.

Michele Alberti wins LOPSTR 2017 Best Paper Award

In October 2017, our dear employee, Michele Alberti attended the 27th International Symposium on Logic-Based Program Synthesis and Transformation in Namur in Belgium.

The LOPSTR series of conferences aims to stimulate and promote international research and collaboration on logic-based program development.

Michele presented the research work “Context Generation from Formal Specifications for C Analysis Tools”, co-authored with fellow researcher Julien Signoles from the CEA List – Software Security Laboratory. For its relevance, originality and technical quality, his work has won the LOPSTR 2017 Best Paper Award.

Read the paper here.

As a Start-Up company that values teamwork effort and Research & Innovation, we are truly proud of Michele’s achievement.


Happy 2018 from TrustInSoft

Happy 2018 from all of us at TrustInSoft. What we achieved in 2017 thanks to you, is just the beginning. Thank you to our community for this great year! Keep your software secure & code safely! Cheers! #HappyNewYear2018

Meet us at CES2018 in Las Vegas

From tech powerhouses to innovative startups, companies big and small from all industries come to CES to introduce the latest innovation to the global market. It has served as the proving ground for innovators and breakthrough technologies for 50 years — the global stage where next-generation innovations are introduced to the marketplace.

TrustInSoft will be attending this years edition of CES in order to showcase the innovative technology behind the TrustInSoft Source Code Analyzer.

Want to know more about how you can validate your software? Come meet TrustInSoft at the Business France Automotive Pavilion, stand CP-5, Central Plaza, at CES, on January 9-12, 2018.

See you there!

Our 1st Free & Online Source Code Analyzer launched at Arm TechCon

TrustInSoft attended ARMTechCon last week from the 24th to the 26th of October in Santa Clara, CA.  It was a great show, and our booth was very busy.

We also hosted our product launch party on Wednesday 25th. We enjoyed a great keynote by Dr. Murray, our CTO’s new product announcement, and a live demo. It was also a great time to network with our guests while sharing appetizers and champagne.

However, the star of the show was and remains our 1st Free & Online Source Code Analyzer.

Try it now