-
The RACOMAT Tool
Security Risks – Why just identifying risks is not enough
Until September 2013, in the context of the global surveillance disclosures, the German government justified NSA spying, because “security is a super basic right” (Hans-Peter Friedrich, German minister of the interior, own translation) and surveillance is necessary to fight terrorism and other threats. Their opinion changed dramatically as soon as they learned that the mobile phone of German chancellor Angela Merkel was obviously monitored, too. Which risk is higher? Living in an Orwellian surveillance for sure or being eventually not able to prevent some act of terrorism? Obviously, it is necessary to weight risks against each other.However, risk assessment might be difficult and expensive, it often depends on the skills and estimates of the analysts. Testing is one analysis method that might yield more objective results, but security testing itself might be difficult and expensive, too, because security testing means to test for unwanted behavior and there is usually no specification what to expect. Besides that manual testing is itself error prone and infeasible for large scale systems, even highly insecure system can produce lots of correct test verdicts if the “wrong” test cases have been created and executed. Therefore, it makes sense to do Risk Assessment COMbined with Automated Testing, i.e. to use RACOMAT.
About RACOMAT
The iterative RACOMAT process (shown in the figure above) combines risk assessment and automated security testing in both ways: Test-Based Risk Assessment (TBRA), which tries to improve risk assessment with the results of security tests and Risk-Based Security Testing (RBST), which tries to optimize security testing with results of risk assessment.
The RACOMAT tool implements the entire RACOMAT process. It supports risk analysts and testers in each step without having trouble with different tools, offering a seamless continuous workflow with a high level of automation.
Features of the RACOMAT tool
- Component based, low level system analysis and risk assessment
- Automatically creates interface models for programs, APIs, components, Web-Pages or Web-Services
- Generates semi automatically initial fault trees (FTA), event trees (ETA) or CORAS risk graphs
- Reusable risk assessment artifacts – uses existing risk catalogues (Mitre CWE / CAPEC, BSI IT-Grundschutz …)
- Compositional risk analysis
- Calculates likelihoods for dependent incidents automatically
- Allows to model relations between risk artefacts and with system components
- Security testing is a part of the risk analysis
- Automated risk-based security testing with the help of Security Test Pattern
- Suggests associations with identified threat scenarios and system components
- Calculates, how much test effort should be spend
- Once a test pattern is instantiated, generating, executing and evaluating tests woks at least semi automatically
- Often no manual work is required at all, e. g. for overflows or (SQL-)Injections
- Updates the risk picture based upon the test results semi automatically
- Makes suggestions using security testing metrics associated with the security test patterns
- More precise likelihood values
- Allows to add unexpected observations as new faults or unwanted incidents by dragging them to the risk graph
- Create, edit and share reusable artefacts
- Threat interfaces
- Security test patterns
- Security testing metrics
- Intuitive graphic user interface
- Drag and drop
- Can be used as a stand-alone solution
- Designed as a .Net API, it can be easily integrated with other tools
Release
Currently, the RACOMAT tool is extensively tested internally at Fraunhofer FOKUS and within the RASEN FP7 EU founded research project. The first public beta test version of RACOMAT is going to be published 2015.
Early demo
An Article by: Johannes Viehmann, Fraunhofer FOKUS 2014
24 Oct 2014 / rasen_adm / Comments Off
2nd RISK Workshop at ISSRE 2014 The RASEN tool-supported method for risk-based security testing and compliance assessment