-
RASEN Supports Standardization at the European Telecommunication Standards Institute
Within the RASEN project, we are aiming to develop methods, techniques and tools for risk-based security testing of large-scale networked systems. To accomplish the technical work and to boost the industrial applicability we have decided to make intensive use of standards covering the area security risk assessment and testing. Thus, the RASEN methodologies and the related terminology have e.g. a foundation by IEEE and ISO standards for testing (e.g. IEEE 29119) and risk assessment (e.g. ISO 27000 and ISO 31000).
However, to disseminate our own results in the broadest sense, we also contribute to standardization. We have chosen the European Telecommunication Standards Institute (ETSI) as one of our dissemination channel. ETSI standards and reports are produced by consensus, and the standards work programme is determined by ETSI members according to their needs. From the RASEN perspective ETSI is attractive because it allows short time to approval and allows for a variety of standards, specifications and reports to suit different purposes. Technical reports could be used to collect and disseminate research results in form of explanatory material while so called ETSI guides are meant to provide technical guidance for a specific and often new technical field. Moreover, ETSI has strong liaisons with other standardization bodies (e.g. ITU-T and ISO) so that ETSI work is broadly recognized and distributed.
Currently our standardisation work at ETSI is focused to serve the work oft MTS Security SIG. MTS Security SIG is a Special Interest Group that assembles security and testing specialist to provide an initial basis for security testing and model-based security testing standards that fit to the overall testing approach elaborated and propagated by ETSI.
MTS Security SIG currently handles four work items. These work items are depicted in the figure above and detailed below.
- TR 101 582 Case Study Experiences is a technical report to assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, and Telecommunication. Experiences have been collected from two large research projects. The document has been approved by ETSI MTS and is publicly available here.
- TR 101 583 Security Testing Terminology is a technical report to collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. The document has been approved by the ETSI MTS and will be available soon.
- DEG 203 250 Security Assurance Life Cycle is an ETSI guide that provides guidance to the application system designers in such a way to maximise both security assurance and the verification and validation of the capabilities offered by the system’s security measures.
- DEG 203 251 Risk-based security assessment and testing methodologies describes a set of methodologies that combine risk assessment and testing. The methodologies are based on standards like ISO 31000 and IEEE 829/29119
While the two technical reports are already approved the two ETSI guides are still underway and expected to apply for approval in October 2015.
If you are interested in ETSI MTS Security SIG work please feel free to contact: Jürgen Großmann, Fraunhofer FOKUS, juergen.grossmann [at] fokus.fraunhofer.de
Jürgen Großmann is leading the work at MTS Security SIG and rapporteur for TR 101 582 as well as DEG 203 251.
A contribution by Jürgen Großmann, Fraunhofer FOKUS
3 Mar 2015 / rasen_adm / Comments Off
Using Common Attack Pattern Enumeration (CAPEC) for Cyber Security Risk Assessment 3rd International Workshop on Risk Assessment and Risk-Driven Testing (RISK) – Call for papers