Security SIG in MTS

SECURITY SIG IN MTS

Fraunhofer FOKUS

Tallinn, 4-5 October 2011Berlin, 15 December 2011 update

Sphia Antipolis 13 March 2012

Agenda SIG#2

Round CallPresentation CollectionIntroductory Presentation• Motivation & „History“ (SIG#1)

Presentation of new contributionsNext steps, perspectives:• SIG#3, Security workshop

2 Security SIG in MTS, 15 December 2011

Recall of SIG#1 meeting

Discussion and outcomeShort introduction by Fokus (history starts 10/2011)Discussion on the security scope in MTS• Presentation by Scott regarding need for security evaluation• Presentation by Ian regarding „security testing“ lifecycle (from

requirements to maintenance)

Discussion on NWI „wording“Appointment of rapporteurs: Ari T. and Scott C.

3

Recall: Security „scope“ in MTS

Model / Specification, system risksRisk Analysis (paper-based)• guidance

“Testing” (to break the system)• Scanning (libs) “known attacks”• Functional / traditional testing• Neg. testing, unknown vul., config mistakes

• fuzzing -> product (units,…)• (light) penetration -> system (=deployed product)

4

Recall: Security Work Items

Terminology:To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees.

“Educational” material• Case study experiences

To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication.

• Security design guide enabling test and assurance (V&V)Guidance to the application system designers that enable verification and validation across the lifecycle, including case studies from telecommunication and ICT.

5

Discussion

Scott introduces Working document including Operational phase (available on server)Alain presents new views/models to be used in the guideline by Scott (available on server)Ari presents the different areas of the collaboration platform (see next slide)

Security SIG in MTS, 4-5 October 20116

Wiki initiated by Codenomicon

Security Testing Terminology and Concepts

Abstract Introduction Risk Assessment Functional Testing Penetration Testing Vulnerability Testing Performance Testing Fuzzing

Security SIG in MTS, 4-5 October 20117

Discussion (cont.)

Invite people from other ETSI TC‘s: AP: Scott invite OCG_security Wiki text should not only be a list of words, but with text and tutorial characterInvite CTI to check Contents

Steve: the introduction part should focus/promote new testing areas

Security SIG in MTS, 4-5 October 20118

Discussion (cont.)

Steve: opportunity for ETSI Security workshop• MTS to chair a security testing session• Start to plan topics, areas of interests• CfP expected in September

Discussion on the lifecycle: no normative agreement on penetration testing available, Ian provides new lifecycle diagram

Security SIG in MTS, 4-5 October 20119

Discussion (cont.)

continue rapporteur‘s work towards SIG#3SIG#3: 15th May morning, before MTS#56

SIG#4 to be decided during SIG#3

Security SIG in MTS, 4-5 October 201110