-
Component-oriented Pattern-driven Security Testing with RACOMAT
Our RACOMAT tool combines component based, low level risk assessment with security testing. RACOMAT facilitates undertaking risk analyses for component-based testing and produces reusable risk assessment artifacts in well-known formats. Furthermore RACOMAT is integrated with external data bases such as the MITRE CAPEC and the MITRE CWE.
As main functionalities, our tool allows for semi-automated test derivation as well as automation of the test execution process. Figures 1 and 2 below illustrate some of the major decision points in test management where the RACOMAT tool makes an impact.
Figure 1 – Test Design and Implementation Challenges
Figure 1 above illustrates some of the challenges apparent in a standardized test design and derivation process. Once tests are set up and executed, the next phase consists of evaluating the results This comes with its own challenges as shown within Figure 2 below. Our tool contributes to addressing several of the outlined challenges:
- Automatic creation of interface models
- Semi-automated generation of initial fault trees or CORAS risk graphs
- “Drag and Drop” editing and composition
- Automated likelihood calculation for dependent incidents
- Suggesting associations with identified threat scenarios and system components
- Calculating the amount of testing effort that should be spend
- At least semi-automated generation, execution and evaluation of tests
Figure 2 – Challenges In Security Test Evaluation
Our tool already combines risk assessment with security testing tightly while supporting other analysis methods such as simulation, monitoring, verification and review, with basic threat simulation using the Monte Carlo method already implemented. While work is currently underway on the RACOMAT tool, it is already under internal evaluation as part of the project’s use cases.
5 Dec 2014 / rasen_adm / Comments Off
The RASEN tool-supported method for risk-based security testing and compliance assessment Risk-Based Security Testing Primer