Deliverables
Year 3 Deliverables
D2.3.2 – Use Case Evaluation (v2)
Responsible partner: Info World
Editor: Arthur Molnar (Info World)
Abstract
The overall objective of RASEN WP2 is to identify use case scenarios contributed by the partners in the project, analyze them regarding their requirements and finally evaluate the case studies on software developed within the project. The purpose of the current document is to detail the second phase of the evaluation process taking place within the project’s third and final year as well as to evaluate the project progress with regards to partner established criteria.
RASEN-D2.3.2-V1.0-Use_case_evaluation_v2.pdf
D3.2.3 – Techniques for Compositional Test-Based Security Risk Assessment v.3
Responsible partner: Software AG
Editor: Bjørnar Solhaug (SINTEF)
Abstract
This deliverable reports on the main results of RASEN WP3 from the third and final year of the project. The tasks that have been addressed are: (T3.1) the development of techniques for compositional security risk assessment, (T3.2) the development of techniques for test-based security risk assessment, and (T3.3) the development of techniques for continuous risk assessment by means of test-based indicators. The RASEN approach to component-based and test-based security risk assessment has been further developed, including the tool-support. In particular, this deliverable documents the following WP3 contributions. Tool-supported techniques for component-based security risk assessment supported by testing; security test result aggregation using test metrics and risk metrics; a tool supported approach to component-based security risk assessment for composition of risk assessment results.
RASEN-D3.2.3-V1.0-Techniques_for_compositional_test_based_security_assessment_v3.pdf
D3.3.3, D4.3.3 – RASEN Tools for: Compositional security risk assessment and security test result aggregation v.3 and Compositional Security Risk Assessment and Security Testing v.3 (Brief Description, Documentation and Installation Guide)
Responsible partner: UFC
Editor: Fabien Peureux (UFC)
Abstract
This report provides some basic information about the tools of the WP3 and WP4 prototype deliverable month M36. The delivered tools are CORAS from SINTEF, RACOMAT and RASEN Security Dashboard from Fraunhofer FOKUS, Smartesting CertifyIt and its plugin from UFC, and ARIS Business Architect from Software AG.
RASEN-D3.3.3-D4.3.3-V1.0-Tools_for_compositional_security_risk_assessment_and_security_testing.pdf
D4.2.3 – Techniques for Compositional Risk-Based Security Testing v.3
Responsible partner: Fraunhofer FOKUS
Editor: Jürgen Großmann (Fraunhofer FOKUS)
Abstract
WP4 has developed a framework for security testing guided by risk assessment. This framework, starting from security test patterns and test generation models, allows for a compositional security testing approach that is able to deal with large-scale networked systems. This deliverable is the final part of a series of three deliverables (D4.2.1, D4.2.2, D4.2.3) that document how the RASEN approach for risk-based security testing has been evolved through continuous and iterative updates. It provides the final update for the RASEN approach of formalizing test patterns using the Test Purpose Language, and it introduces the RASEN Testing Dash Board for Test Result Aggregation.
RASEN-D4.2.3-V1.0-Techniques_for_compositional_risk-based_security_testing.pdf
D5.3.3 – Methodologies for Legal, Compositional, and Continuous Risk Assessment and Security Testing v.3
Responsible partner: SINTEF
Editors: Fredrik Seehusen (SINTEF), Bjørnar Solhaug (SINTEF)
Abstract
This deliverable documents the application of the RASEN methodology within different processes and for different domains. The processes that are considered are established approaches to software development and security assessment so as to demonstrate the wider applicability and usefulness of the RASEN methodology. Two specific domains are moreover highlighted, namely cybersecurity and cloud sourcing. Both of these are highly relevant given the mainstream ICT infrastructures of today, and they both represent important current and emerging security challenges. The deliverable presents WP5 results from the third and final year of the RASEN project regarding task T5.1 (Methodology for compositional and continuous risk assessment and security testing of large scale networked systems) and T5.2 (Methodology for legal risk assessment and security testing of large scale networked systems).
RASEN-D5.3.3-V1.0-Methodologies_for_legal_compositional_and_continuous_risk_assessment_and_security_testin_v3.pdf
D5.4.3 – A Toolbox for Security Risk Assessment and Security Testing
Responsible partner: Fraunhofer FOKUS
Editor: Jürgen Großmann (Fraunhofer FOKUS)
Abstract
The RASEN risk assessment and security testing toolbox provides integration support for the RASEN approach to risk-based security testing and test-based security risk assessment. This deliverable contains updates of the RASEN Data Integration Model and RASEN Data Exchange Format. It presents the Integration Scenarios that have been achieved in using the RASEN Data Exchange Format.
RASEN-D5.4.3-V1.0-A_Toolbox_for_Security_Risk_Assessment_and_SecurityTesting_v3.pdf
Year 2 Deliverables
D2.3.1 – Use Case Evaluation (v1)
Responsible partner: Info World
Editor: Arthur Molnar (Info World)
Abstract
The overall objective of RASEN WP2 is to identify use case scenarios contributed by the partners in the project, analyze them regarding their requirements and finally evaluate the case studies on software developed within the project. The purpose of the current document is to detail the evaluation process that took place within the project’s second year, to evaluate the project progress with regards to partner established criteria and to provide the roadmap towards third year evaluation activities.
RASEN-D2.3.1-V1.0-Use_case_evaluation_v1.pdf
D3.2.2 – Techniques for Compositional Test Based Security Assessment (v2)
Responsible partner: Software AG
Editor: Bjørnar Solhaug (SINTEF)
Abstract
This deliverable reports on the main results of RASEN WP3 from the second year of the project. The RASEN approach to compositional security risk assessment has been further developed, and this deliverable introduces our notion of risk model encapsulation. We have developed modelling support for composing individual risk models, where the encapsulation allows the models to be combined without having to consider or assess the internal details of the respective models. The techniques and tools for test-based security risk assessment have been extended in several directions. The deliverable presents results covering (semi-)automated risk modelling, security testing, and security test result aggregation. The deliverable finally presents techniques for continuous security risk assessment by monitoring and aggregation of key indicator values, where the indicators provide information about the current risk picture at any point in time.
RASEN-D3.2.2-V1.0-Techniques_for_compositional_test_based_security_assessment_v2.pdf
D4.2.2 – Techniques for Compositional Risk-Based Security Testing
Responsible partner: Fraunhofer
Editor: Martin Schneider (FOKUS)
Abstract
WP4 develops a framework for security testing guided by risk assessment and compositional analysis. This framework, starting from security test patterns and test generation models, aims to propose a compositional security testing approach able to deal with large scale networked systems. This report provides the evolved results based on the previous deliverable D4.2.1. The results comprise risk-based testing using CAPEC attack patterns. An improved security test pattern-based approach for test case generation is presented as well as improvements of the behavioural fuzzing approach in order to address certain vulnerabilities. Test case generation using security test patterns together with a test purpose language is extended for security testing. In addition, first results regarding security testing metrics are described. This deliverable will be refined by D4.2.3.
RASEN-D4.2.2-V1.0-Techniques_for_compositional_risk-based_security_testing.pdf
D5.3.2 – Methodologies for Legal Compositional and Continuous Risk Assessment and Security Testing (v2)
Responsible partner: SINTEF
Editor: Fredrik Seehusen (SINTEF)
Abstract
The methodologies detailed within this document address three distinct domains: security risk assessment, security testing, and legal compliance. What it new with regards to the previous version of the RASEN methodologies, is that the methodologies in the different domains have been unified into an overall picture. In addition to this, the specific RASEN methodologies have been further developed, and examples of their usage are given.
RASEN-D5.3.2-V1.0-Methodologies_for_legal_compositional_and_continuous_risk_assessment_and_security_testing_v2.pdf
D5.4.2 – A Toolbox for Risk Assessment and Security Testing (v2)
Responsible partner: Fraunhofer
Editor: Jürgen Großmann (FOKUS)
Abstract
The RASEN risk assessment and security testing toolbox provides integration support for the RASEN approach to risk-based security testing and test-based security risk assessment. This deliverable contains updates of the RASEN Data Integration Model, the specification of the export and import interfaces and the definition of RASEN Data Exchange Format.
RASEN-D5.4.2-V1.0-A_toolbox_for_risk_assessment_and_security_testing_v2.pdf
Year 1 Deliverables
D2.1.1 – Use Case Scenarios Definition
Responsible partner: Software AG
Editors: Frank Werner (Software AG)
Abstract
The overall objective of RASEN WP2 is to identify use case scenarios contributed by the partners in the project, analyze them regarding their requirements, and finally evaluate the case studies on software developed within the project. The case studies provided address different problems scenarios and provide input for R&D of subsequent tasks and for evaluation of tools and method in the technical work packages. This document describes case studies provided by project partners for the RASEN project. Selected scenarios are chosen from the fields of business software, medical information systems, and the financial sector and will establish the basis for further analysis and requirements definition in the following tasks.
Download
D3.1.1 – Baseline for Compositional Test-Based Security Risk Assessment
Responsible partner: Fraunhofer
Editors: Jürgen Großmann (Fraunhofer), Johannes Viehmann (Fraunhofer)
Abstract
The overall objective of RASEN WP3 is to develop tools and techniques for compositional and test-based security risk assessment. This deliverable presents the industrial and scientific state of the art related to this objective. The presentation is structured according to the main research tasks of WP3, which are to develop support for i) compositional security risk assessment, ii) test-based risk identification and estimation, and iii) continuous risk assessment of large scale systems by use of test-based indicators. Considering the state of the art and the research objectives of WP3, we moreover identify the baseline for the WP3 research activities. The baseline is the tools and techniques that may serve as promising starting points for further development. The identification of the baseline was guided by the relevant research questions that are addressed by the RASEN project.
Download
D3.2.1 – Techniques for Compositional Test-Based Security Assessment v.1
Responsible partner: Software AG
Editors: Bjørnar Solhaug (SINTEF), Frank Werner (SAG)
Abstract
This deliverable reports on the results of RASEN WP3 after the first year of the project. The tasks that have been addressed are (T3.1) the development of techniques for compositional security risk assessment and (T3.2) the development of techniques for test-based security risk assessment. The sections of the deliverable are structured into three main themes. The first theme is an industry-viewpoint discussion of existing approaches, and a motivation for the work presented in this deliverable. The two other themes cover research tasks T3.1 and T3.2, respectively. Regarding compositional security risk assessment, we discuss the underlying principles of compositionality and explain how these apply to the setting of risk assessment. We furthermore present our formal foundation for compositional security risk assessment, as well as an extension of CORAS to facilitate component-based risk assessment. Regarding test-based security risk assessment, we present our approach to complement the risk picture using test results, and how we plan to use security indicators and risk metrics to aggregate low-level test results to make use of them in the more high-level risk assessment.
Download
D3.3.1 – Tools for Compositional Security Risk Assessment and Security Test Result Aggregation v.1 — Documentation and Installation Guide
Responsible partner: Fraunhofer
Editors: Bjørnar Solhaug (SINTEF)
Abstract
This report provides some basic information about the tools of the WP3 prototype deliverable D3.1.1 due at project month M12. The delivered tools are CORAS from SINTEF, RISKTest from Fraunhofer FOKUS, CertifyIt from Smartesting and ARIS Business Architect from Software AG.
Download
D4.1.1 – Baseline for Compositional Risk-Based Security Testing
Responsible partner: Smartesting
Editors: Fabien Peureux (SMA)
Abstract
Work package 4 will develop a framework for security testing guided by risk assessment and compositional analysis. This framework, starting from security test patterns and test generation models, aims to propose a compositional security testing approach able to deal with large scale networks systems. This report provides a state of the art of methodologies involved to reach this goal, respectively, risk-related security testing approaches, such as security testing metrics and testing approaches for large-scale networked systems. The report finally provides the RASEN baseline for compositional risk-based security testing. The baseline defines the basis for the development work to be completed during the project.
Download
D4.2.1 – Techniques for Compositional Risk-Based Security Testing v.1
Responsible partner: Fraunhofer
Editors: Martin Schneider (FOKUS)
Abstract
Work package 4 will develop a framework for security testing guided by risk assessment and compositional analysis. This framework, starting from security test patterns and test generation models, aims to propose a compositional security testing approach able to deal with large scale networks systems. This report provides the first results for how test cases can be derived from risk assessment results by means of risk-based test identification and prioritization, security test patterns and test case generation using security test patterns together with a test purpose language extended for security testing. This is based on the baseline defined in RASEN deliverable D4.1.1 and will be refined and complemented by the subsequent RASEN deliverables D4.2.2 and D4.2.3.
Download
D4.3.1 – Tools for compositional risk-based security testing — Documentation and Installation Guide
Responsible partner: Smartesting
Editors: Fabien Peureux (SMA)
Abstract
This report provides some basic information about the tools of the WP4 testing tool prototypes within deliverable D4.3.1 due at project month M12. The delivered tools are CORAS from SINTEF, CertifyIT from Smartesting, and RISKTest, Fuzzino library andBehavioral Fuzz Test Case Generator from Fraunhofer FOKUS.
Download
D5.1.1 – Baseline Methodologies for Legal, Compositional, and Continuous Risk Assessment and Security Testing
Responsible partner: UiO
Editors: Tobias Mahler (UiO)
Abstract
This report assesses the state of the art of methodologies for, respectively, legal, compositional, and continuous risk assessment and security testing. The existing state of the art is examined from the perspective of the RASEN project, based on the research questions specified by the project. The report concludes with respective baseline methodologies, which will form the basis for the development work to be completed during the project.
Download
D5.2.1 – Risk Assessment and Security Testing Toolbox Requirements and Design
Responsible partner: Fraunhofer
Editors: Jürgen Großmann (FOKUS)
Abstract
The overall idea of the RASEN project is to combine security risk assessment with security testing. Typically security risk assessment and testing are supported by different tools, often multiple tools. In contrast, the RASEN risk assessment and security testing toolbox aim explicitly to the integration of data from security risk assessment and security testing. This deliverable outlines the integration requirements and the initial design of the RASEN risk assessment and security testing toolbox.
Download
D5.3.1 – Methodologies for Legal, Compositional, and Continuous Risk Assessment and Security Testing v.1
Responsible partner: SINTEF
Editors: Fredrik Seehusen (SINTEF)
Abstract
This deliverable documents the conceptual models and initial version of the methodologies related to tasks T5.1 and T5.2.
Download
D5.4.1 – A Toolbox for Security Risk Assessment and Security Testing
Responsible partner: Fraunhofer
Editors: Jürgen Großmann (FOKUS)
Abstract
The RASEN risk assessment and security testing toolbox provides tool support for the RASEN approach to risk-based security testing and test-based security risk assessment. This deliverable contains the specification of the RASEN Data Integration Model and the specification of the interfaces between the tools of the RASEN toolbox.