90 likes | 104 Views
This report provides an overview of the SIG#1 meeting on security testing in MTS. It includes discussions on security scope, term definitions, lifecycle, and new work items. The report also outlines the progress of NWIs and proposes a security testing session for the next ETSI security workshop.
E N D
Security SIG in MTS Fraunhofer FOKUS Sophia Antipolis, 25 January 2012
Overview • SIG#1 meetingreport • Status andnextsteps • New contributions • PresentationbyAri (terminology) • ContributionbyIan (lifecycle) • TVRA presentationbyJan, Siv, Scott
SIG#1 meeting Participantsfromtencompanies • Bryant, Ian National PolicingImprovementAgency • Cadzow, Scott CadzowCommunications Consulting Ltd. • Grossmann, Juergen FhG FOKUS • Jakob, Felix Dornier Consulting Engineering & Services GmbH • Mallouli, WissamMontimage • Pietsch, Stephan TestingTechnologies IST GmbH • Rennoch, Axel FhG FOKUS • Schieferdecker, Ina FhG FOKUS • Schmitting, Peter FSCOM SARL • Schulz, Stephan ConformiqSoftware Ltd. • Stanca-Kaposta, Bogdan Testing Technologies IST GmbH • Takanen, Ari CodenomiconOy • Vouffo Feudjio, Alain FhG FOKUS • Weiser, Christian University of Oulu
SIG#1 meeting Discussionandoutcome • Short introductionby Fokus (cp. Tallinn slides) • Discussion on thesecurityscope in MTS • Presentationby Scott regardingneedforsecurityevaluation • Presentationby Ian regarding „securitytesting“ lifecycle (fromrequirementstomaintenance) • Discussion on NWI „wording“ • Appointmentofrapporteurs: Ari T. and Scott C.
Security „scope“ in MTS • Model / Specification, system risks • Risk Analysis (paper-based) • guidance • “Testing” (to break the system) • Scanning (libs) “known attacks” • Functional / traditional testing • Neg. testing, unknown vul., config mistakes • fuzzing -> product (units,…) • (light) penetration -> system (=deployed product)
New Work Items • Terminology: To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. • “Educational” material • Case study experiences To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication. • Security design guide enabling test and assurance (V&V) Guidance to the application system designers that enable verification and validation across the lifecycle, including case studies from telecommunication and ICT.
Glossarysources • Common Criteria for Information Technology Security Evaluation (CC) is the driving force for the widest available mutual recognition of secure IT products. This web portal is available to support the information on the status of the CCRA, the CC and the certification schemes, licensed laboratories, certified products and related information, news and events. • ISO 27000 series of standards have been specifically reserved by ISO for information security matters. This of course, aligns with a number of other topics, including ISO 9000 (quality management) and ISO 14000 (environmental management). • rfc2828 abbreviations, explanations, and recommendations for use of information system security terminology. • OUSPG's Glossary of Vulnerability Testing Terminology https://www.ee.oulu.fi/research/ouspg/Glossary • ISTQB Glossray of Testing Terms Standard glossary of terms used in Software Testing, Version 2.1 (dd. April 1st, 2010), Produced by the ‘Glossary Working Party’ International Software Testing Qualifications Board. Homepage: http://www.german-testing-board.info/de/index.shtm# • MBT Notations • ETSI ES 202 951 V1.1.1 (2011-07) - MTS; MBT Requirements for Modelling Notations • ETSI TR 102 840 V1.2.1 (2011-02) – MTS; Model-based testing in standardisation • Security Information Event Management (ISG ISI) Security SIG in MTS, 4-5 October 2011
Meeting discussion • Discussion on NWI#3 • Lifecycleby Ian becomepartoftheintroduction • Work shouldbealignedwith TISPAN • Discussion on NWI#1: • Ari presentssecuritytestingandfuzztestingterminology • Separatedbundlingofterms (intro, list, discussion) • Online monitoringmaybeownbundle • BiggestneedidentifiedregardingFuzzingterms • Nore-definition but coverageandreferences • Not toomuchmethodology (likefuzzing) • Proposaltouse a collaborativetool, but end upwithword-document Security SIG in MTS, 4-5 October 2011
Status andnextsteps NWIs progress • Terminology: initial collection, see contribution by Ari • Case studies:starting later • Validation: see contribution by Jan, Scott, Siv • SIG#2 meeting: next date tbc with Ari and Scott • Proposal: to organize a security testing session (three 20min presentations) for next ETSI security workshop 2013