To what extent should cybersecurity testing be implemented (1/3)
Section 5.7 of IEC 81001-5-1 requires the following security tests to be performed
- Security Requirements Testing (7.1)
- Threat Reduction Testing (7.2)
- Vulnerability Testing (7.3)
- Penetration test (7.4)
Is it really necessary to conduct all of these tests?
1.Security Requirements Testing (5.7.1)
Security requirements testing involves testing for security as required in the requirements specification.
Security requirements testing will include the following types of tests based on the intended use environment
- Functional testing of security requirements
- Performance and Scalability Testing
- marginal test(Testing that may affect security)
- Boundary and edge conditions
- stress test
- Unauthorized form of testing
- Unexpected input testing
- Testing of the Software Services used to achieve the intended functionality of the Software in accordance with the Liability Arrangement between the Service Provider, the Company and the Operator.
- Testing for Cloud Services
- Testing for Software as a Service (SaaS)
- Testing for Infrastructure as a Service (IaaS)
- Testing against Platform as a Service (PaaS)
These are to be performed for the security-related tests required in the requirements specification.
2.Threat Mitigation Testing (5.7.2)
In threat mitigation testing, each mitigation measure is to be tested for effectiveness.
Verification of mitigation measures
Ensure that mitigation measures do not create other vulnerabilities in the design.
Verification testing of each mitigation measure
Develop and execute appropriate test content to ensure that each mitigation implemented to address a specific threat works as designed.
Interference test for each mitigation measure
Develop and implement a plan to thwart each mitigation measure.
3.Vulnerability Testing (5.7.3)
Testing for known vulnerabilities should be based, at a minimum, on the recent content of established, industry-recognized, public sources of known vulnerabilities.
If necessary, the following tests would be conducted
- abuse-case testing
Abuse case testing focuses on finding security problems and testing against unauthorized or unexpected inputs.
This includes the following for all external interfaces and protocols- Manual Abuse Case Testing
- Automated Abuse Case Testing
- Special Kinds of Abuse Case Testing
Specifically, this includes fuzzing, network traffic load testing, and capacity testing.
——————————————————————————————————————–
What is Fuzzing?
It is one of the testing methods for finding software vulnerabilities.
Specifically, it intentionally feeds large amounts of the program to the program to verify that the program does not crash or behave unexpectedly.
Fuzzing is primarily used to find security vulnerabilities.
Because malicious attackers can exploit program vulnerabilities to break into systems or steal information, it is important to perform fuzzing and fix vulnerabilities during the development phase.
There are two main types of fuzzing
- Black Box Fuzzing: A method of testing by entering data from the outside without knowing the internal structure of the program.
- White box fuzzing: A method of analyzing source code and testing for potential vulnerabilities based on an understanding of the program’s internal structure.
Fuzzing is often performed using automated tools to efficiently find vulnerabilities.
Comment