Security in MTS 14th May2013 SIG Report
description
Transcript of Security in MTS 14th May2013 SIG Report
SECURITY IN MTS14TH MAY2013
SIG REPORT
Fraunhofer FOKUS
Agenda (14.5.)
4 Participants: I. Bryant, A. Takanen, P. Schmitting, A. Rennoch, (supported by E. Chaulot-Talmon)
ISO SC27 & ETSI Security workshop presentation 26th April• Idea: MTS & SC27/WG3 Liaison• TODO: send request (with current working
documents)Discussion of draft document
2
SC27 WG3 liaison (to be decided)
ISO/IEC 24759 Test requirements for cryptographic modules ISO/IEC 30127: Detailing software penetration testing under ISO/IEC 15408 and ISO/IEC 18045 vulnerability analysis ISO/IEC TR 20004 Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045
for ETSI 101583 (Terminology)for ETSI 201581 (Security guidelines)WG3 is interested in ETSI 101582 (case studies)
3
SC27 WG4 liaison (to be decided)
ISO/IEC 27034-4 Application security validation
for ETSI 201581 (Security guidelines)
4
WI status and schedules
1. Terminology and Concepts (Ari): 3rd draft (word document) considered comments and updates-> need to be reviewed (CTI or E2NA)2. Case studies (Ari/Jürgen): Plan: early draft with two case studies (Diamonds)2-3 more case studies expected September (from Diamonds and Spacios)
5
WI status and schedules
3. Design guide V&V (Scott/Ian): -> new draft available with new input from Ian and Scott (still early draft)Plan: stable draft and review in September.
4. Security Testing Methodology (Scott): Plan: results to be integrated in V&V
6
„Terminology“ (3rd draft)
3 Definitions, symbols and abbreviations4 Introduction to security testing
4.1 Types of security testing4.2 Penetration testing tools
4.3 Test verdicts in security testing
5 Security test requirements6 Functional security testing7 Performance testing for security8 Fuzz testing9 Security Testing activities mapped to SDLC
7
„Case studies“ (1st draft)
Project case studies from:
• DIAMONDS project• G&D Banking (available)• Accurate (available)• Radio • Automotive• More?
• SPACIOS project• tbd
8
„Case studies“ (1st draft)
For each of the case studies a similar structure of the description is planned. It will consist of the following parts:
• Characteriazation• Background (challenges)• System under Test• Risk Analysis
• Security Testing Approaches • Applied approaches• Comparison with SoA tools/techniques
• Results so far• Expectations• Test Results
• Exploitation (value of techniques)9
Next steps
Jürgen/Peter: complete Diamonds case study inputAri/Peter: Invite E2NA and CTI to review Terminology & Concepts (after stable draft) ???Ian/Scott: provide stable draft for SeptemberMTS: request formal liaison with ISO SC27/WG3&4
Next SIG meetings• Discussion of current drafts in MTS#59• No SIG meeting planned (only if new drafts
available)10