As computerized systems, services and infrastructures have become an important part of society, the need for security has become increasingly evident. Today, particularly in light of the evolution and increasing use of the Internet, the need for security concerns nearly every user of computerized systems, be it private users, industrial users, or government users.
While the future internet creates new business opportunities (e.g. online banking services) and security mechanisms (e.g. authentication by mobile phone), it also creates new security threats and vulnerabilities as connectivity and the multi-domain created by trust and organizational boundaries increases. This adds an extra level of complexity, as both risks and assumptions are hard to anticipate and yet they cannot be deemed indefinitely. On the contrary, they must be monitored and reassessed continuously.
The aim of the DIAMONDS project is to strengthen the ability of Norwegian companies to face the new security challenges posed by the future internet by transferring state-of-the-art security assessment techniques to the industry. In particular, we aim to develop industrial guidelines and a supporting framework to help businesses find a balanced approach within the three-dimensional space of invested effort, security testing and risk analysis.
Security testing is a widely used technique for assessment. It is one of the few techniques that can be used to gain confidence that a system (not just its specification) together with is environment (e.g., operating system, network, and legacy code) is secure. Security testing is particularly useful in light of the dynamic and evolving multi-domain of trust envisioned by the future internet where, for instance, end users are more and more empowered and therefore decide (often on the fly) on how content and services are shared and composed.
The challenge with security testing, however, is that only some aspects of a system can be tested. In response to this, many advocate the notion of risk-based testing. Its main idea is to use risk analysis to identify and prioritize those important parts of systems that need to be tested. One of the key challenges of risk-based testing is to relate risk analysis results at a high-level of abstraction (e.g. business level) to test-cases at a low-level of abstraction (e.g. implementation level). A particular challenge is how to relate risks and security test cases to facilitate assurance and maintenance in the multi-domain created by the fragmentation of trust boundaries as envisioned the future internet.
In practice, security assessments are always constrained by cost and time. The effort available for doing a security assessment can vary a great deal depending on e.g. target of analysis and business process, yet effort is one of the most important factors for determining the scope, depth, and (aspects of) techniques used for the security assessment. Any general technique for security assessment which fails to take effort into account is not likely to be very practical. We therefore aim to have a strong emphasis on effort-dependence.
In summary, our main objective is to develop industrial guidelines and a supporting framework for adapting risk-based testing techniques in the multi-domain created by trust and organizational boundaries envisioned by the future internet. The guidelines and its supporting framework should take effort in account as a key factor in determining what aspects of the guidelines and framework to use and how to use them.
DIAMONDS is funded by the Research Council of Norway and runs from November 1, 2010 until October 31, 2014.
DIAMONDS is a joint initiative between
Created: September 27, 2010. Last updated: December 28, 2012.