Compositional Risk Assessment and Security Testing of Networked Systems

Oct. 01, 2013 to Oct. 31, 2015

ICT systems are becoming increasingly heterogeneous and complex, crossing organisational as well as geographical borders. Due to their size and complexity, they cause challenges for security policies that cannot be examined from an exclusively technological perspective. Considering our dependence on heterogeneous networked service and computing environments, it becomes essential for organisations (including their non-technical personnel) to concisely understand the risks related to the security of the systems and services in use. The RASEN project develops an approach that enable organisation to conduct security risk assessments for large-scale networked systems and to verify the assessment by means of security testing. In doing so, the project addresses the following challenges:

  • Performing security assessments of large network systems in their entirety is infeasible, hence compositional approaches are required that allow to perform smaller assessments (e.g. on parts of a system). RASEN develops such an approach that allows for conducting risk assessments for smaller parts or aspects of a system and systematically compose these assessments to obtain a global risk picture.
  • Security assessments are usually performed either at a high-level e.g. by security risk assessment, or at the technical low-level e.g. by security testing. The project RASEN develops techniques, tools and methods to derive security test cases from security risk assessment results and to verify and update of the security risk assessment based on security test results. This approach combines the high-level risk analysis with technical security testing and thus provides more reliable and accurate results.
  • Large-scale systems themself as well as their environment evolve over time. Thus, the RASEN approach will have a particular emphasis on continuous security assessment in which the security assessment is performed iteratively in such a way that results from previous assessments can be reused, and the security risk assessment picture can be rapidly updated with respect to changes in the system and its environment.
  • In conclusion, RASEN aims to strengthen organisations' ability to assure compliance with legal norms and to assess the risks related to non-compliance by developing methods for risk assessments, which specifically take into account legal aspects of relevance to security.

The RASEN consortium consists of seven partners from Norway, Germany, France and Romania, with expertise in the areas of risk assessment, software testing, and law.

In November 2015, The RASEN project was finally evaluated by the EU as an excellent project. The main results of the project include two innovations that have been developed or co-designed by Fraunhofer FOKUS:

  • The RACOMAT tool allows users to combine component based security risk assessment with security testing. Testing can be integrated seamlessly into the incident simulations the tool uses for its compositional risk analysis. Taking benefit of libraries containing risk analysis artifacts like attack patterns and of libraries containing testing artifacts like security test patterns, the RACOMAT tool offers a high degree on reusability and automation. The tool supports an exhaustive and systematic security assessment starting from risk modeling, supporting security testing and finally helping updating the risk picture based on test results.
  • The overall RASEN method for security risk assessment and security testing is derived from ISO 31000 and slightly extended to integrate security testing as one of the major tasks that need to be carefully aligned with typical risk assessment activities. It is defined independent from any application domain and independent from the level, target or depth of the assessment. It could be applied for legal risk as well as for any kind of technical assessment. Parts of the RASEN method for security risk assessment and security testing are published as ETSI Guide EG 203251.

The results of the project have been evaluated along three case studies from the domains of healthcare, finance and the IT industry.