SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.
9
SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS
-
Upload
kristina-mcbride -
Category
Documents
-
view
220 -
download
0
Transcript of SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.
SECURITY SIG IN MTS28TH JANUARY 2015
PROGRESS REPORT
Fraunhofer FOKUS
MTS SECURITY SIG Work Items
TR 101 583Terminology
EG 203 250Security
Assurance Lifecycle
TR 101 582Case
Studies
EG 203 251Risk-based
Security Testing
Case Studies: To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication
Security Assurance Life Cycle: Guidance to the application system designers in such a way to maximise both security assurance and the verification and validation of the capabilities offered by the system's security measures.
Terminology: To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees.
Risk-based Security Testing: Describes a set of methodologies that combine risk assessment and testing. The methodologies are based on standards like ISO 31000 and IEEE 829/29119
TC MTS – Security SIG – Update 2014-05-27
Published
Final draft
DraftDraft
TR 101 583: SECURITY TESTING TERMINOLOGY
Security SIG in MTS, 14th January 2014
Document Reference• TR 101 583
Document Title• Methods for Testing and Specification (MTS);• Security testing terminology
Document PurposeTo collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees.
Document Status• Final Draft v0.0.8 (2015-01)
TR 101 583: SECURITY TESTING TERMINOLOGY-- PROGRESS
Security SIG in MTS, 14th January 2014
Document Progress1. New section on risk-based security testing2. New life-cycle figure 3. Discussing conflicting terms (solved)
• Asset, Model-based security testing, Risk-based testing, Security Requirement, Security test case, Susceptibility, Threat, Unwanted Incident, Vulnerability, Vulnerability Test ,Weakness
• Found consensus on definitions
4. Application for remote consensus
EG 203 250: Security Assurance Lifecycle
Document Reference• DEG 203 250
Document Title• Methods for Testing and Specification (MTS);• Security Assurance Lifecycle
Document Purpose• Guide to the application of security capabilities in systems in such a way to
maximise both security assurance and the verification and validation of the capabilities offered by the system's security measures. Security Assurance Lifecycle
Document Status• Draft v0.0.8 (2015-01)
Security SIG in MTS, 4-5 October 20115
EG 203 251: Security Assurance Lifecycle-- Progress
Document Progress1. Work Plan produced and updated2. Initial draft structure agreed, 3. Design section of Life Cycle drafted4. TVRA parts reduced5. Aligned with TR 101583
Open Issues• Integration of information from other WI required (ongoing)• TB approval October 1st, 2015• Review Cycle: Review feedback until end of February, next version end of this
week
Security SIG in MTS, 4-5 October 20116
EG 203 251: Risk-based Security Testing
Document Reference• DEG 203 251
Document Title• Methods for Testing and Specification (MTS);• Risk-based security testing methodologies• Proposal for new title: Risk-based security assessment and testing
methodologies
Document Purpose• Describes a set of methodologies that combine risk
assessment and testing. The methodologies are based on standards like ISO 31000 and IEEE 829/29119.
Document Status• Draft v0.0.7 (2015-01)
Security SIG in MTS, 4-5 October 20117
Discussion and Comments
Issues from last MTS• Terminology and processes are described differently in the
Terminology Report and the Risk-based Security Testing document. • Added life cycle figure (new Figure in TR 101 583, extended version in EG 203 251)• Contributed with Risk-based testing part to TR 101 583• Alignment of terms in both of the documents
Next steps/open issues• Renaming to Risk-based security assessment and testing methodologies• Simple risk and testing metrics • TB approval planned for October 1st, 2015
Security SIG in MTS, 4-5 October 20118
Outlook
Security SIG in MTS, 4-5 October 201110
Document timeline:- TR 101 582 (Case Studies) has been approved in May 2014- TR 101 583 Terminology to be approved in January 2015- DEG 203 250 (Security Assurance Lifecycle) to be approved in October 2015 - DEG 203 251 (Risk-based Security Testing) to be approved in October 2015
Future topics/issues/cooperation:- Requirements metrics and acceptance criteria for Fuzzing (WI proposal planned for
next MTS meeting in May 2015)
