110 likes | 232 Views
Security in MTS 14th May2013 SIG Report. Fraunhofer FOKUS. Agenda ( 14.5.). 4 Participants : I. Bryant, A. Takanen, P . Schmitting , A . Rennoch, ( supported by E . Chaulot-Talmon ) ISO SC27 & ETSI Security workshop presentation 26th April Idea : MTS & SC27/WG3 Liaison
E N D
Security in MTS14th May2013SIG Report Fraunhofer FOKUS
Agenda (14.5.) • 4Participants: I. Bryant, A. Takanen, P. Schmitting, A. Rennoch, (supportedbyE. Chaulot-Talmon) • ISO SC27 & ETSI Security workshoppresentation 26th April • Idea: MTS & SC27/WG3 Liaison • TODO: send request (withcurrentworkingdocuments) • Discussionofdraftdocument
SC27 WG3 liaison (tobedecided) • ISO/IEC 24759 Test requirements for cryptographic modules • ISO/IEC 30127: Detailing software penetration testing under ISO/IEC 15408 and ISO/IEC 18045 vulnerability analysis • ISO/IEC TR 20004 RefiningsoftwarevulnerabilityanalysisunderISO/IEC 15408 andISO/IEC 18045 • for ETSI 101583 (Terminology) • forETSI 201581 (Security guidelines) • WG3 isinterested in ETSI 101582 (casestudies)
SC27 WG4 liaison (tobedecided) • ISO/IEC 27034-4Applicationsecurityvalidation • for ETSI 201581 (Security guidelines)
WI statusandschedules • Terminology and Concepts (Ari): 3rd draft (word document) considered comments and updates -> needtobereviewed (CTI or E2NA) • Case studies (Ari/Jürgen): Plan: early draft with two case studies (Diamonds) 2-3 more case studies expected September (from Diamonds and Spacios)
WI statusandschedules • Design guide V&V(Scott/Ian): -> new draft available with new input from Ian and Scott (still early draft) Plan: stable draft and review in September. • Security Testing Methodology (Scott): Plan: results to be integrated in V&V
„Terminology“ (3rd draft) 3 Definitions, symbols and abbreviations 4 Introduction to security testing 4.1 Types of security testing 4.2 Penetration testing tools 4.3 Test verdicts in security testing 5Security test requirements 6Functional security testing 7Performance testing for security 8Fuzz testing 9 Security Testing activities mapped to SDLC
„Case studies“ (1st draft) • Project case studies from: • DIAMONDS project • G&D Banking (available) • Accurate (available) • Radio • Automotive • More? • SPACIOS project • tbd
„Case studies“ (1st draft) • For each of the case studies a similar structure of the description is planned. It will consist of the following parts: • Characteriazation • Background (challenges) • System under Test • Risk Analysis • Security Testing Approaches • Applied approaches • Comparison with SoA tools/techniques • Results so far • Expectations • Test Results • Exploitation (value of techniques)
Next steps • Jürgen/Peter: complete Diamonds casestudyinput • Ari/Peter: Invite E2NA and CTI toreviewTerminology & Concepts(after stabledraft) ??? • Ian/Scott: providestabledraftfor September • MTS: request formal liaisonwithISO SC27/WG3&4 • Next SIG meetings • Discussionofcurrentdrafts in MTS#59 • NoSIG meetingplanned(onlyifnewdraftsavailable)