DIAMONDS
Effort-dependent technologies for multi-domain risk-based security testing

As computerized systems, services and infrastructures have become an important part of society, the need for security has become increasingly evident. Today, particularly in light of the evolution and increasing use of the Internet, the need for security concerns nearly every user of computerized systems, be it private users, industrial users, or government users.

The aim of the DIAMONDS project is to strengthen the ability of Norwegian companies to face the new security challenges posed by the future internet by transferring state-of-the-art security assessment techniques to the industry. In particular, we aim to develop industrial guidelines and a supporting framework to help businesses find a balanced approach within the three-dimensional space of invested effort, security testing and risk analysis.

Security testing is a widely used technique for assessment. It is one of the few techniques that can be used to gain confidence that a system (not just its specification) together with is environment (e.g., operating system, network, and legacy code) is secure.  The challenge with security testing, however, is that only some aspects of a system can be tested. In response to this, many advocate the notion of risk-based testing. Its main idea is to use risk analysis to identify and prioritize those important parts of systems that need to be tested.  One of the key challenges of risk-based testing is to relate risk analysis results at a high-level of abstraction (e.g. business level) to test-cases at a low-level of abstraction (e.g. implementation level).

In practice, security assessments are always constrained by cost and time. The effort available for doing a security assessment can vary a great deal depending on e.g. target of analysis and business process, yet effort is one of the most important factors for determining the scope, depth, and (aspects of) techniques used for the security assessment. Any general technique for security assessment which fails to take effort into account is not likely to be very practical. We therefore aim to have a strong emphasis on effort-dependence.

In summary, our main objective is to develop industrial guidelines and a supporting framework for adapting risk-based testing techniques in the multi-domain created by trust and organizational boundaries envisioned by the future internet. The guidelines and its supporting framework should take effort in account as a key factor in determining what aspects of the guidelines and framework to use and how to use them.

DIAMONDS is funded by the Research Council of Norway and runs from November 1, 2010 until October 31, 2014. The Norwegian DIAMONDS project is part of the European ITEA2 project with the same name.

DIAMONDS is a joint initiative between

  • BankId Norge
  • Bankenes Standardiseringskontor
  • EDB Business Partner
  • Norse Solutions
  • Statnett
  • SINTEF ICT in Oslo

Del

Publisert 28. april 2011

Contact in SINTEF ICT

Ketil Stølen

Further information

The DIAMONDS technical description

 

Copyright © SINTEF    |    Epost til SINTEF    |    Om www.sintef.no