1 / 9

Security SIG in MTS

Security SIG in MTS. Fraunhofer FOKUS Sophia Antipolis, 25 January 2012. Overview. SIG#1 meeting report Status and next steps New contributions Presentation by Ari ( terminology ) Contribution by Ian ( lifecycle ) TVRA presentation by Jan, Siv , Scott. SIG#1 meeting.

xuxa
Download Presentation

Security SIG in MTS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security SIG in MTS Fraunhofer FOKUS Sophia Antipolis, 25 January 2012

  2. Overview • SIG#1 meetingreport • Status andnextsteps • New contributions • PresentationbyAri (terminology) • ContributionbyIan (lifecycle) • TVRA presentationbyJan, Siv, Scott

  3. SIG#1 meeting Participantsfromtencompanies • Bryant, Ian National PolicingImprovementAgency • Cadzow, Scott CadzowCommunications Consulting Ltd. • Grossmann, Juergen FhG FOKUS • Jakob, Felix Dornier Consulting Engineering & Services GmbH • Mallouli, WissamMontimage • Pietsch, Stephan TestingTechnologies IST GmbH • Rennoch, Axel FhG FOKUS • Schieferdecker, Ina FhG FOKUS • Schmitting, Peter FSCOM SARL • Schulz, Stephan ConformiqSoftware Ltd. • Stanca-Kaposta, Bogdan Testing Technologies IST GmbH • Takanen, Ari CodenomiconOy • Vouffo Feudjio, Alain FhG FOKUS • Weiser, Christian University of Oulu

  4. SIG#1 meeting Discussionandoutcome • Short introductionby Fokus (cp. Tallinn slides) • Discussion on thesecurityscope in MTS • Presentationby Scott regardingneedforsecurityevaluation • Presentationby Ian regarding „securitytesting“ lifecycle (fromrequirementstomaintenance) • Discussion on NWI „wording“ • Appointmentofrapporteurs: Ari T. and Scott C.

  5. Security „scope“ in MTS • Model / Specification, system risks • Risk Analysis (paper-based) • guidance • “Testing” (to break the system) • Scanning (libs) “known attacks” • Functional / traditional testing • Neg. testing, unknown vul., config mistakes • fuzzing -> product (units,…) • (light) penetration -> system (=deployed product)

  6. New Work Items • Terminology: To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. • “Educational” material • Case study experiences To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication. • Security design guide enabling test and assurance (V&V) Guidance to the application system designers that enable verification and validation across the lifecycle, including case studies from telecommunication and ICT.

  7. Glossarysources • Common Criteria for Information Technology Security Evaluation (CC) is the driving force for the widest available mutual recognition of secure IT products. This web portal is available to support the information on the status of the CCRA, the CC and the certification schemes, licensed laboratories, certified products and related information, news and events. • ISO 27000 series of standards have been specifically reserved by ISO for information security matters. This of course, aligns with a number of other topics, including ISO 9000 (quality management) and ISO 14000 (environmental management). • rfc2828 abbreviations, explanations, and recommendations for use of information system security terminology. • OUSPG's Glossary of Vulnerability Testing Terminology https://www.ee.oulu.fi/research/ouspg/Glossary • ISTQB Glossray of Testing Terms Standard glossary of terms used in Software Testing, Version 2.1 (dd. April 1st, 2010), Produced by the ‘Glossary Working Party’ International Software Testing Qualifications Board. Homepage:  http://www.german-testing-board.info/de/index.shtm# • MBT Notations • ETSI ES 202 951 V1.1.1 (2011-07) - MTS; MBT Requirements for Modelling Notations • ETSI TR 102 840 V1.2.1 (2011-02) – MTS; Model-based testing in standardisation • Security Information Event Management (ISG ISI) Security SIG in MTS, 4-5 October 2011

  8. Meeting discussion • Discussion on NWI#3 • Lifecycleby Ian becomepartoftheintroduction • Work shouldbealignedwith TISPAN • Discussion on NWI#1: • Ari presentssecuritytestingandfuzztestingterminology • Separatedbundlingofterms (intro, list, discussion) • Online monitoringmaybeownbundle • BiggestneedidentifiedregardingFuzzingterms • Nore-definition but coverageandreferences • Not toomuchmethodology (likefuzzing) • Proposaltouse a collaborativetool, but end upwithword-document Security SIG in MTS, 4-5 October 2011

  9. Status andnextsteps NWIs progress • Terminology: initial collection, see contribution by Ari • Case studies:starting later • Validation: see contribution by Jan, Scott, Siv • SIG#2 meeting: next date tbc with Ari and Scott • Proposal: to organize a security testing session (three 20min presentations) for next ETSI security workshop 2013

More Related