SECURITY SIG IN MTS Fraunhofer FOKUS Tallinn, 4-5 October 2011 Berlin, 15 December 2011 update Sphia Antipolis 13 March 2012
Mar 21, 2016
SECURITY SIG IN MTS
Fraunhofer FOKUS
Tallinn, 4-5 October 2011Berlin, 15 December 2011 update
Sphia Antipolis 13 March 2012
Agenda SIG#2
Round CallPresentation CollectionIntroductory Presentation• Motivation & „History“ (SIG#1)
Presentation of new contributionsNext steps, perspectives:• SIG#3, Security workshop
2 Security SIG in MTS, 15 December 2011
Recall of SIG#1 meeting
Discussion and outcomeShort introduction by Fokus (history starts 10/2011)Discussion on the security scope in MTS• Presentation by Scott regarding need for security evaluation• Presentation by Ian regarding „security testing“ lifecycle (from
requirements to maintenance)
Discussion on NWI „wording“Appointment of rapporteurs: Ari T. and Scott C.
3
Recall: Security „scope“ in MTS
Model / Specification, system risksRisk Analysis (paper-based)• guidance
“Testing” (to break the system)• Scanning (libs) “known attacks”• Functional / traditional testing• Neg. testing, unknown vul., config mistakes
• fuzzing -> product (units,…)• (light) penetration -> system (=deployed product)
4
Recall: Security Work Items
Terminology:To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees.
“Educational” material• Case study experiences
To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication.
• Security design guide enabling test and assurance (V&V)Guidance to the application system designers that enable verification and validation across the lifecycle, including case studies from telecommunication and ICT.
5
Discussion
Scott introduces Working document including Operational phase (available on server)Alain presents new views/models to be used in the guideline by Scott (available on server)Ari presents the different areas of the collaboration platform (see next slide)
Security SIG in MTS, 4-5 October 20116
Wiki initiated by Codenomicon
Security Testing Terminology and Concepts
Abstract Introduction Risk Assessment Functional Testing Penetration Testing Vulnerability Testing Performance Testing Fuzzing
Security SIG in MTS, 4-5 October 20117
Discussion (cont.)
Invite people from other ETSI TC‘s: AP: Scott invite OCG_security Wiki text should not only be a list of words, but with text and tutorial characterInvite CTI to check Contents
Steve: the introduction part should focus/promote new testing areas
Security SIG in MTS, 4-5 October 20118
Discussion (cont.)
Steve: opportunity for ETSI Security workshop• MTS to chair a security testing session• Start to plan topics, areas of interests• CfP expected in September
Discussion on the lifecycle: no normative agreement on penetration testing available, Ian provides new lifecycle diagram
Security SIG in MTS, 4-5 October 20119
Discussion (cont.)
continue rapporteur‘s work towards SIG#3SIG#3: 15th May morning, before MTS#56
SIG#4 to be decided during SIG#3
Security SIG in MTS, 4-5 October 201110