Combining Security Risk Assessment and Security Testing based on Standards



Similar documents
Combining Security Risk Assessment and Security Testing Based on Standards

Risk Assessment and Security Testing Johannes Viehmann 2015 of Large Scale Networked Systems with RACOMAT

ETSI GUIDE Methods for Testing & Specification; Risk-based Security Assessment and Testing Methodologies

INTERNATIONAL TELECOMMUNICATION UNION

TECHNICAL REPORT Methods for Testing and Specification (MTS); Security Testing; Basic Terminology

Kangas Cybersecurity strategy

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

EXAM PREPARATION GUIDE

Estimating Impact of Change

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

Medical Device Software Standards for Safety and Regulatory Compliance

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Test Management Tool for Risk-based Security Testing

ISO/IEC JTC 1/WG 10 Working Group on Internet of Things. Sangkeun YOO, Convenor

Change & configuration management

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

Secure Software Design in Practice ARES SECSE Workshop

Data Governance Center Positioning

PROTIVITI FLASH REPORT

Risk Management in Practice A Guide for the Electric Sector

Risk-driven Security Testing versus Test-driven Security Risk Analysis

Using Information Shield publications for ISO/IEC certification

Smart Grid Information Security

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Methods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, PARIS

UIIPA - Security Risk Management. June 2015

RISK MANAGEMENT & ISO 9001:2015. Greg Hutchins PE CERM Quality + Engineering CERM Academy GregH@CERMAcademy.com 800.COMPETE or

Core Fittings C-Core and CD-Core Fittings

OIML D 18 DOCUMENT. Edition 2008 (E) ORGANISATION INTERNATIONALE INTERNATIONAL ORGANIZATION

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Model State Regulation for Supervision, Roles, and Responsibilities During the Delivery of Occupational Therapy Services

ESCoRTS A European network for the Security of Control & Real Time Systems

Standardization: Plans and Progress Franz ZICHY Vice-Chairman Working Party 3 of ITU-T Study Group 5

Introduction to Automated Testing

ISACA rudens konference

Keywords document, agile documentation, documentation, Techno functional expert, Team Collaboration, document selection;

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Standard Glossary of Terms Used in Software Testing. Version 3.01

SOFTWARE QUALITY & SYSTEMS ENGINEERING PROGRAM. Quality Assurance Checklist

What changes will ISO 9001:2015 bring?

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Risk Management

Towards a standard approach to supply chain integrity. Claire Vishik September 2013

On Efficient Collaboration between Lawyers and Software Engineers when Transforming Legal Regulations to Law-related Requirements

ISO/IEC/IEEE The New International Software Testing Standards

Standards for Cyber Security

Software Engineering/Courses Description Introduction to Software Engineering Credit Hours: 3 Prerequisite: (Computer Programming 2).

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Human Factors in Information Security

Application Security Center overview

IEEE SESC Architecture Planning Group: Action Plan

EXAM PREPARATION GUIDE

Smart grid security analysis

Certification Report

Cyber Security and Privacy - Program 183

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

TECHNICAL SPECIFICATION

State of Oregon. State of Oregon 1

CESG Certification of Cyber Security Training Courses

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Certified Information Security Manager (CISM)

RFIDs and European Policies

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Software Process Maturity Model Study

IT Risk Management Era: Research Challenges and Best Practices. Eyal Adar, Founder & CEO Eyal@WhiteCyberKnight.com Chairman of the EU SRMI

NIST Cyber Security Activities

Usability Issues in Web Site Design

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

DRAFT TABLE OF CONTENTS 1. Software Quality Assurance By Dr. Claude Y Laporte and Dr. Alain April

2012 ISO TC46/SC4/WG11 N246

RE tools survey (part 1, collaboration and global software development in RE tools)

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

Usability metrics for software components

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

ELECTRONIC TRACEABILITY SYSTEMS VS. PAPER BASED TRACEABILITY SYSTEMS

IMDRF/SaMD WG (PD1)/N23R3 PROPOSED DOCUMENT. International Medical Device Regulators Forum

The Next Generation of Security Leaders

TEST PLAN Issue Date: <dd/mm/yyyy> Revision Date: <dd/mm/yyyy>

Transcription:

Jürgen Großmann (FhG Fokus) Fredrik Seehusen (SINTEF ICT) Combining Security Risk Assessment and Security Testing based on Standards 3 rd RISK Workshop at OMG TC in Berlin, 2015-06-16 3 rd RISK Workshop 2015 1

FP7 project RASEN (RASEN - 316853) Developing methods and tools to support security assessments for largescale networked infrastructures by considering: 1.technical aspects 2.legal and regulatory aspects 3.uncertainty and risk 3 rd RISK Workshop 2015 2

The RASEN method for security testing, risk & compliance assessment Conforms to ISO/IEC 31000 Integrates risk assessment, compliance assessment and security testing in a meaningful manner Addresses management aspects as well as assessment aspects facts expert judgment 3 rd RISK Workshop 2015 3

Serves with different instantiations for different tasks Risk-based compliance assessment Test-based risk assessment Risk-based security testing 3 rd RISK Workshop 2015 4

Two main workstreams: Risk assessment and security testing A test-based security risk assessment process (1) starts with the risk assessment is used to optimize security risk assessment with empirical data coming from test results or compliance issues. A risk-based method for compliance and security testing (2) starts with the identification of issues by security testing or compliance assessment focus the compliance and security testing resources on the areas that are most likely to cause concern building and prioritizing the compliance measures or testing program around these risks. 3 rd RISK Workshop 2015 5

Workstream 1: Test-based security risk assessment 1. Test-based risk identification 2. Test-based risk estimation Basic idea: improve risk assessment activities through facts from testing Communicate & Consult Monitoring & Review 3 rd RISK Workshop 2015 6

Test-based risk identification a) Test-based threat and threat scenario identification b) Test-based vulnerability identification 3 rd RISK Workshop 2015 7

Test-based risk estimation a) Test-based likelihood estimation b) Test-based estimate validation 3 rd RISK Workshop 2015 8

Workstream 2: Risk-based security testing compliant to ISO 29119 1. Risk-based security test planning 2. Risk-based security test design & implementation 3. Risk-based test execution, analysis & summary Basic idea: focus testing activities on high risk areas 3 rd RISK Workshop 2015 9

Risk-based security test design and implementation a Identify Feature Sets & Potential Vulnerabilities Threat and Vulnerability Assessment Derive Test Conditions b Test Design Specification Derive Test Coverage Items c Derive Test Cases Test Case Specification a) Risk-based identification and prioritization of features sets b) Risk-based derivation of test conditions and test coverage items c) Threat scenario based derivation of test cases d) Risk-based assembly of test procedures Risk Evaluation Results Assemble Test Sets Test Procedure Specification Security Risk Assessment Artefacts d Derive Test Procedures 3 rd RISK Workshop 2015 10

Activities are specified in detail to provide guidance 3 rd RISK Workshop 2015 11

Supported by the RASEN toolbox and the RASEN exchange format RASEN - 316853 12

Mapping to System Lifecycle Phases Design & Implementation Verification & Validation Continuous Risk Management Operation & Maintenance Penetration Test System Security Risk Analysis Provision of risk assessment results Provision of test results System Security Test System Security Regression Test Perspectives System perspective Component perspective Update Refinement Component Security Risk Analysis Provision of risk assessment results Provision of test results Component Security Test Component Security Regression Test RASEN - 316853 13

The RASEN method is itself in standardization Case Studies: To assemble case study experiences related to security testing. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication Security Assurance Life Cycle: Guidance to the application system designers in such a way to maximise both security assurance and the verification and validation of the capabilities offered by the system's security measures. Stable Draft Published Published 3 rd RISK Workshop 2015 Terminology: To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. Risk assessment and riskbased security testing methodologies: Describes a set of methodologies that combine risk assessment and testing. The methododologies are based on standards like ISO 31000 and IEEE 29119 Stable Draft

RASEN method summary Covers the integration of security testing, risk & compliance assessment Is concisely specified and supported by tools Is mature and powerful applied to all RASEN case studies integrates with recent risk assessment and testing standards constitutes standardization work item at ETSI 3 rd RISK Workshop 2015 15

RASEN - 316853 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information