Test Prioritization in Security Risk Testing

Transcription

1 Test Prioritization in Security Risk Testing 36. GI-TAV June, Leipzig - Deutschland Michael Berger, Fraunhofer-Fokus-Institut RASEN

2 IT SECURITY RISK ASSESSMENT AND TESTING RASEN

3 IT security risk definition The Potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to the organization (Source ISO 27000) Risk = Likelihood * Consequence RASEN

4 Risk assessement (ISO / 2009) Risk identification: identifying sources of risk, areas of impacts, events, their causes and their potential consequences Risk analysis: comprehend the nature of risk and to determine the level of risk Risk evaluation: comparing the results of risk estimation with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable Risk treatment: modify risk by avoidance or mitigations RASEN

5 Dynamic test process (DRAFT ISO ) Test planning: determine test strategy, resource planning Test design : deriving the test cases and test procedures. Test implementation: realizing the executable test scripts. Test execution: running the test procedure resulting from the test design and implementation phases. Test reporting: managing the test incidents and the test results. RASEN

6 Optimizing security testing activities Security testing Test planning Test design Test implementation Test execution Security risk assessment Risk-based security test identification Risk-based security test selection & prioritisation Test reporting RASEN

7 Optimizing security risk assessment Security risk assessment Test-based risk identification (identifying new risk factors) Test-based reassessment of risk values (e.g. probabilities) Security testing Establishing context Risk identification Risk analysis Risk evaluation Risk treatment RASEN

8 Risk-based security testing goals Providing arguments by experiments Risk assessment Test reporting Test planning & test design Test execution Provide arguments for the absence of potential vulnerabilities. Provide arguments for the functional correctness of treatment scenarios and countermeasures. Discover unknown risk factors (i.e. vulnerabilities) Provide feedback for reassessing risk values RASEN

9 SECURITY RISK ANALYSIS WITH CORAS RASEN

10 Model-based security risk assessment The CORAS approach Source: Developed by Scandinavian research organisation SINTEF CORAS consists of Method for risk analysis Language for risk modeling Tool for editing diagrams Model-driven RASEN

11 Model-based security risk assessment The CORAS approach Vulnerability Treatment scenario Unwanted incident Consequence Threat (agent) Threat scenario Likelihood Asset Source: RASEN

12 Risk evaluation Risk = rv (Likelihood, Consequence) P(X)= 0,055 RASEN

13 Model-based security risk assessment CORAS example (HBGary hack) RASEN

14 TEST PATTERN AND PRIORITY RASEN

15 Risk-based security testing Qualitative approach: Risk-based test identification What should be tested? Starting point: Vulnerabilities Threat scenarios Treatment scenarios Quantitative approach: Risk-based test selection & prioritisation How much/intensive should be tested? Starting point: Test objective specification Test scenario specification Likelihood and consequence values RASEN

16 Risk-based security test identification Security Test Pattern Security test pattern consists of: Mandatory attributes, i.e. id and name parameters for test assessment Descriptions and procedures for manually testing Parameters for automatically testing (stimulation and observation) RASEN

17 Risk-based security test identification Decomposing the overall scenario Stimulus: Do different kind of SQL injections TP: Detection of vulnerability to data structure attacks Observation: Access to data base possible RASEN

18 Security test prioritization Calculating overall risk contribution of items TP: Detection of vulnerability to data structure attacks TP: Software configuration and update checks high TP: Cryptographic strength tests with rainbow tables low RASEN

19 Security test prioritization Calculating overall risk contribution of items The potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to the organization (Source ISO 27000) Testing to find an argument for the absence of potential vulnerabilities. Calculate and rate the risks (probability of unwanted incidents * consequence). Identify the vulnerabilities with the highest impact to the most critical risks. Additional issues to be considered: Impact of the vulnerability to the probability success probability of the threat scenario Efforts needed to sufficiently test for a vulnerability Quality of tests and test coverage TP: Detection of vulnerability to data structure attacks RASEN

20 Contact Fraunhofer Institute for Open Communication Systems FOKUS Kaiserin-Augusta-Allee Berlin, Germany Tel. +49 (30) Fax +49 (30) Innovation Center for Cost-Effective Systems Quality Prof. Dr.-Ing. Ina Schieferdecker Tel. +49 (30) Jürgen Großmann Tel. +49 (30) RASEN