Standards: The framework for a secure development process
The Business Unit Quality Engineering (SQC) has been working for many years on the development of standards for the telecommunications industry, model-driven software development and model-based testing. SQC is also a member of the standardization committees of the European Telecommunications Standards Institute (ETSI) and the Object Management Group (OMG). In these committees, SQC has advanced the development of the TTCN-3 test definition language and UML Testing Profile (UTP) in particular, and it has successfully used both technologies in numerous industrial projects. SQC also contributes to the International Organization for Standardization (ISO), the International Telecommunication Union (ITU-T) and the Open Mobile Alliance (OMA). Additionally, the standardization work of SQC influences the standards for automotive software and control devices that are defined in the Automotive Open System Architecture (AUTOSAR) development partnership. A detailed list of all standards to which SQC has contributed can be found in the downloads section.
Test modeling of communication systems with TTCN-3
Testing and Test Control Notation Version 3, or TTCN-3 for short, is a specification and programming language for testing communication-based systems. Specifically, this notation is used for testing mobile radio and Internet protocols, services, modules, CORBA-based platforms and programming interfaces. Telecommunication companies use TTCN-3 to test the functionality of end devices and network components, for example. Unlike many other (test) modeling languages, TTCN-3 makes it possible not only to specify tests but also to carry them out. With TTCN-3, tests can be generated with graphical or text editors, translated into conventional programming languages like Java, C++ or C# using compilers, and then adapted to any interface and executed using TTCN-3-based test systems. The programming language was created by ETSI, who continues to maintain and develop it. For 15 years, SQC has been involved in several ETSI expert groups known as Specialist Task Forces (STFs). SQC is currently focusing on the further development of the TTCN-3 standard and its use in testing LTE end devices and Internet network components.
TTCN-3 was presented to the public for the first time in September 2000. Since version 2.2.1., the language has been stable enough for use in tool development and industrial applications. The change request (CR) process has made it possible to transparently track changes since 2005.
Seamless transitions between system and test development: The UML Testing Profile (UTP)
The Unified Modeling Language (UML) is a graphical modeling notation that has been standardized by the Object Management Group (OMG) and is used for the object-oriented analysis and design of IT systems. UML has become an established “lingua franca” in both research and industry. The acceptance of UML as a modeling notation quickly influenced the research field of model-based testing (MBT). The modeling notation does not define any native test concepts. Such concepts are needed, however, to use UML for the systematic, structured validation and verification of IT systems. To remedy this shortcoming, the UML Testing Profile (UTP) – which SQC had proposed and devised together with other partners – was developed parallel to the draft of the UML 2 specification. UTP supports model-based test processes by specifying dedicated test concepts for analyzing and outlining test cases. UTP seamlessly integrates with UML and prevents any conceptual, semantic or notation-based gaps between system and test development. A new version, UTP 2, has been in development at OMG since December 2014. Once again, experts from the System Quality Center are a driving force behind the UTP Working Group. UTP 2 directly addresses industry demands for a modern, graphical, easy-to-use test modeling language.
Information Security Indicators
Information Security Indicators (ISI) have been standardized by the ETSI Industrial Specification Group (ISG). These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user´s deviant behaviours, nonconformities and/ or vulnerabilities (software, configuration, behavioural, general security framework).
The Quick Reference Card for ISI summarizes security indicator components to support users to run e.g. security operation centers and/or to compare security measurements. In addition SQC contributes to the ETSI Industrial Specification Group about Information Security Indicators (see below) that focus on benchmarking the operational security in organizations. It has been provided for the ETSI ISG and members of R2GS clubs in France, UK and Germany.
The list of information Security Indicators belongs to the initial ISI framework that consists of the following five closely linked work items (ISG has been closed and standards are maintained by ETSI TC CYBER):
- ISI Indicators (ISI-001-1 and Guide ISI-001-2): A powerful way to assess security controls level of enforcement and effectiveness (and benchmarking)
- ISI Event Model (ISI-002): A comprehensive security event classification model (taxonomy and representation)
- ISI Maturity (ISI-003): Necessary to assess the maturity level regarding overall SIEM capabilities (technology, people, process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case by case approach)
- ISI Event Detection (ISI-004): Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases and symptoms)
- ISI Event Stimulation (ISI-005): Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events)
Three additional parts have been added during the extended period of ISG ISI (see related links below).