Berlin, 15 December 2011 update Security SIG in MTS Fraunhofer FOKUS Tallinn, 4-5 October 2011 Berlin, 15 December 2011 update Sphia Antipolis 13 March 2012

Presentation Collection Introductory Presentation Agenda SIG#2 Round Call Presentation Collection Introductory Presentation Motivation & „History“ (SIG#1) Presentation of new contributions Next steps, perspectives: SIG#3, Security workshop Security SIG in MTS, 15 December 2011

Discussion and outcome Recall of SIG#1 meeting Discussion and outcome Short introduction by Fokus (history starts 10/2011) Discussion on the security scope in MTS Presentation by Scott regarding need for security evaluation Presentation by Ian regarding „security testing“ lifecycle (from requirements to maintenance) Discussion on NWI „wording“ Appointment of rapporteurs: Ari T. and Scott C.

Recall: Security „scope“ in MTS Model / Specification, system risks Risk Analysis (paper-based) guidance “Testing” (to break the system) Scanning (libs) “known attacks” Functional / traditional testing Neg. testing, unknown vul., config mistakes fuzzing -> product (units,…) (light) penetration -> system (=deployed product)

Recall: Security Work Items Terminology: To collect the basic terminology and ontology (relationship between stake holder and application) to be used for security testing in order to have a common understanding in MTS and related committees. “Educational” material Case study experiences To assemble case study experiences related to security testing in order to have a common understanding in MTS and related committees. Industrial experiences may cover but are not restricted to the following domains: Smart Cards, Industrial Automation, Radio Protocols, Transport/Automotive, Telecommunication. Security design guide enabling test and assurance (V&V) Guidance to the application system designers that enable verification and validation across the lifecycle, including case studies from telecommunication and ICT.

Discussion Scott introduces Working document including Operational phase (available on server) Alain presents new views/models to be used in the guideline by Scott (available on server) Ari presents the different areas of the collaboration platform (see next slide) Security SIG in MTS, 4-5 October 2011

Wiki initiated by Codenomicon Security Testing Terminology and Concepts Abstract Introduction Risk Assessment Functional Testing Penetration Testing Vulnerability Testing Performance Testing Fuzzing Security SIG in MTS, 4-5 October 2011

Discussion (cont.) Invite people from other ETSI TC‘s: AP: Scott invite OCG_security Wiki text should not only be a list of words, but with text and tutorial character Invite CTI to check Contents Steve: the introduction part should focus/promote new testing areas Security SIG in MTS, 4-5 October 2011

Discussion (cont.) Steve: opportunity for ETSI Security workshop MTS to chair a security testing session Start to plan topics, areas of interests CfP expected in September Discussion on the lifecycle: no normative agreement on penetration testing available, Ian provides new lifecycle diagram Security SIG in MTS, 4-5 October 2011

Discussion (cont.) continue rapporteur‘s work towards SIG#3 SIG#3: 15th May morning, before MTS#56 SIG#4 to be decided during SIG#3 Security SIG in MTS, 4-5 October 2011