110 likes | 123 Views
CHARIOT-VESSEDIA Workshop. “ THE ROAD AHEAD FOR A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS ”. ISO Standard 23643 development on verification and validation tools Emmanuel Querrec, TUAS (VESSEDIA).
E N D
CHARIOT-VESSEDIA Workshop “THE ROAD AHEAD FOR A COGNITIVE COMPUTING PLATFORM SUPPORTING A UNIFIED APPROACH TOWARDS PRIVACY, SECURITY AND SAFETY (PSS) OF IOT SYSTEMS” ISO Standard 23643 developmenton verification and validation toolsEmmanuel Querrec, TUAS (VESSEDIA) CHARIOT-VESSEDIA Workshop 9 May 2019, Dublin, Ireland CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
The ISO standard • Name of the standard: • ISO/IEC DIS 23643: Software and systems engineering – Capabilities of security and safety verification tools (SSVT) • Objective of the standard: • Level up and harmonize knowledge on SSVT and support efforts put in verification against software vulnerability while ensuring traceability of those efforts. • Complement ISO/IEC 15408 Security Techniques. NP (New work item proposal) WD (Working draft) CD / FCD (Committee / final committee draft) DIS/ FDIS (Draft / final draft international standard) IS CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
The conformity assessment scheme (CAS)for certification • Name of the CAS: • Verified in Europe • Objective of the CAS: • Giving throughout the verification value-chain, and especially to end-market, visibility on software that have put efforts in safety and security verification by pinpointing at effectuated verification tool capabilities (in reference to the ISO newly set taxonomy). CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
Task 1: participant profile(tick the correct statements, multiple choices allowed) • I am : • End-user of IoT device(s)for private purpose (smart car, smart TV, remotely connected device, etc…not a smart phone!) • End-user/manager of IoT devicefor professional purpose (used in my company) • End-user of software/application installed directly or connected to my IoT device through a network(whether private or professional) • Developer of software/application • Evaluatorof software/application (e.g. security evaluation service) • Involved in duties connected to standardization andcertification (e.g. work group, certification body or accreditation body) • ___________________________________________________________(free choice) CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
Task 2: software safety and security verification effortsthroughout the SDLC (V-model adapted) • All participants, for each phase of the SDLC: allocate a representative budget in percentage of total SSSV efforts between the 6 phases; put values so that they add up to 100 in each of the 6 small shapes displayed as: • Tool practitioner or acquainted participants: for each phase of the SDLC, name the safety and security verification tool(s) you use or are familiar with, in the shapes displayed as: 1. Requirements definition, global specifications 6. System integration, testing and validation 2. Detailed specifications 5. Unit testing, test cases, integration-testing 3. Refinement/design 4. Code implementation CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
The VESSEDIA software securityverification tool capabilities • Software security verification tool capabilities address vulnerabilities throughout the stages of the SDLC to cope with security risks when operating on IoT devices. • In VESSEDIA, we introduce the following softwaresecurity verification tool capabilities: Risk analysis tools Vulnerability analysis tools Security modeling tools Threat modeling tools E.g. Penetration testing E.g. Definition of security objectives E.g. STRIDE model E.g. Root cause analysis CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland 6
Task 3: Security risks • Security risks: intentional, unauthorized act(s) designed to cause harm or damage. • Which security risks on which IoT devices is your main concern? CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
Task 4: Safety risks • Safety risks: “unacceptable risk that might lead to death or serious injury to people, loss or severe damage to property, or severe environmental harm”. • Which safety risks on which IoT devices is your main concern? CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
The VESSEDIA software safetyverification tool capabilities • Software safety verification tool capabilities address vulnerabilities throughout the stages of the SDLC to cope with safety risks when operating on IoT devices. • In VESSEDIA, we introduce the following softwaresafety verification tool capabilities: Proof tools Monitoring tools Program analysis tools Model-checking tools Specification and refinement tools Programming rules checkers E.g. Level 1: Use of compiler diagnostic Level 2: Heuristic static analysis Level 3: Sound static analysis E.g. automatic theorem provers E.g. Automatic theorem provers E.g. control flow graph E.g. check specifications at runtime E.g. syntax and semantic rules in programming CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
Contact • If you are interested to receive updates on our standard or in joining the interest group to steer the Verified in Europe CAS, please provide your contact information to the VESSEDIA team: Name: Company: E-mail: Phone: CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland
Contact Details https://www.vessedia.eu/ Emmanuel Querrec emmanuel.querrec@turkuamk.fi The projects CHARIOT & VESSEDIA have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 780075 & No 731453. CHARIOT – VESSEDIA Workshop, 9 May 2019, Dublin, Ireland