Download - Security SIG in MTS
SECURITY SIG IN MTS
Fraunhofer FOKUS
Sophia Antipolis, 25 January 2012
Overview
SIG#1 meeting reportStatus and next stepsNew contributions• Presentation by Ari (terminology)• Contribution by Ian (lifecycle)• TVRA presentation by Jan, Siv, Scott
2
SIG#1 meeting
Participants from ten companiesBryant, Ian National Policing Improvement AgencyCadzow, Scott Cadzow Communications Consulting Ltd.Grossmann, Juergen FhG FOKUSJakob, Felix Dornier Consulting Engineering & Services GmbHMallouli, Wissam MontimagePietsch, Stephan Testing Technologies IST GmbHRennoch, Axel FhG FOKUSSchieferdecker, Ina FhG FOKUSSchmitting, Peter FSCOM SARLSchulz, Stephan Conformiq Software Ltd.Stanca-Kaposta, Bogdan Testing Technologies IST GmbHTakanen, Ari Codenomicon OyVouffo Feudjio, Alain FhG FOKUSWeiser, Christian University of Oulu
3
SIG#1 meeting
Discussion and outcomeShort introduction by Fokus (cp. Tallinn slides)Discussion on the security scope in MTS• Presentation by Scott regarding need for security evaluation• Presentation by Ian regarding „security testing“ lifecycle (from
requirements to maintenance)
Discussion on NWI „wording“Appointment of rapporteurs: Ari T. and Scott C.
4
Security „scope“ in MTS
Model / Specification, system risksRisk Analysis (paper-based)• guidance
“Testing” (to break the system)• Scanning (libs) “known attacks”• Functional / traditional testing• Neg. testing, unknown vul., config mistakes
• fuzzing -> product (units,…)• (light) penetration -> system (=deployed product)
5
New Work Items
Terminology:To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees.
“Educational” material• Case study experiences
To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication.
• Security design guide enabling test and assurance (V&V)Guidance to the application system designers that enable verification and validation across the lifecycle, including case studies from telecommunication and ICT.
6
Glossary sources
Common Criteria for Information Technology Security Evaluation (CC) is the driving force for the widest available mutual recognition of secure IT products. This web portal is available to support the information on the status of the CCRA, the CC and the certification schemes, licensed laboratories, certified products and related information, news and events. ISO 27000 series of standards have been specifically reserved by ISO for information security matters. This of course, aligns with a number of other topics, including ISO 9000 (quality management) and ISO 14000 (environmental management). rfc2828 abbreviations, explanations, and recommendations for use of information system security terminology. OUSPG's Glossary of Vulnerability Testing Terminology https://www.ee.oulu.fi/research/ouspg/Glossary ISTQB Glossray of Testing Terms Standard glossary of terms used in Software Testing, Version 2.1 (dd. April 1st, 2010), Produced by the ‘Glossary Working Party’ International Software Testing Qualifications Board. Homepage: http://www.german-testing-board.info/de/index.shtm# MBT Notations
• ETSI ES 202 951 V1.1.1 (2011-07) - MTS; MBT Requirements for Modelling Notations • ETSI TR 102 840 V1.2.1 (2011-02) – MTS; Model-based testing in standardisation
Security Information Event Management (ISG ISI)
Security SIG in MTS, 4-5 October 20117
Meeting discussion
Discussion on NWI#3• Lifecycle by Ian become part of the introduction• Work should be aligned with TISPAN
Discussion on NWI#1: • Ari presents security testing and fuzz testing terminology• Separated bundling of terms (intro, list, discussion)• Online monitoring may be own bundle• Biggest need identified regarding Fuzzing terms• No re-definition but coverage and references• Not too much methodology (like fuzzing)• Proposal to use a collaborative tool, but end up with word-document
Security SIG in MTS, 4-5 October 20118
Status and next steps
NWIs progressTerminology: initial collection, see contribution by AriCase studies:starting laterValidation: see contribution by Jan, Scott, Siv
SIG#2 meeting: next date tbc with Ari and Scott
Proposal: to organize a security testing session (three 20min presentations) for next ETSI security workshop 2013
9