ISO/IEC 17825:2024 情報技術 | ページ 3

Introduction

Testing requires defined constants, which are derived from an axiomatic analysis of the security problem. The security assurance levels are bound to the testing and remaining risks. The testing approach can be characterized as follows:

• a) Testing soundness
  • 1) A formal description of empirical closed-box testing provides the soundness, in the context of the attack, because the testing adheres to an accepted methodology.
  • 2) The application of the methodology does not ensure that all possible attacks are covered. Testing allows for weakness detection in a system; hence, it increases the confidence in a system's ability to withstand a set of simulated attacks. The implemented formalism allows to detect weaknesses, and the outcome is a reasonable level attested by tests.
  • 3) The level of assurance that can be reached with the methodology in this document is a “controlled” level of “reasonable” confidence level, which is the level low to medium. Level high is not reachable due to the closed-box approach. The meaning of “reasonable” is determined by the customer's risk threshold. The tester is defining the level of reasonability, in accordance with a security level target.
  • 4) Testing is guided by a strategy, which allows for transparency in the methodology and outcomes.
  • 5) The methodology is device-class specific. The pass/fail criteria should take into account the class of devices under test. For example, the criteria for devices with a deterministic behaviour (i.e. bare metal), and for devices with a complex software stack should be different.
  • 6) Security testing is an “estimation” when based upon noisy measurements, or when the tester does not have full control of the implementation under test (IUT).

• b) Repeatability (as per ISO/IEC 17025:2017, 7.2.2.4)

  Repeatability means similar results from the same (i.e. repeated) methodology, while reproducibility means similar results from similar methodology. Security evaluation is an estimation based on noisy measurements, on IUT whose behaviour is probably not in full control of the tester. In this document, there is a prerequisite that the IUT is closed-box, which can behave in a non-deterministic manner (at least, its internals – owing to some intentional randomization used as a protection). Furthermore, the test can only be carried out based on external observations and findings. As a result, the objective is to document a formal and transparent process of testing ここで, independent tests can be reproduced with similar expected results (as much as possible, within reasonable bounds). The methodologies are similar (e.g. executed by two testers) in that they yield similar outcome.

• c) Cost of testing

  • 1) The objective is to devote the right amount of effort for the testing of a given assurance level. Cost effectiveness of the testing has a direct implication on assuring a certain level of security. Cost of testing includes, but is not limited to:
    • i) Level of expertise and experience: Consequence/implication of using an already formalized process (agnostic in the IUT). The testers require skills and competencies.
    • ii) Time: Elapsed time for data acquisition, even though the procedure is automated.
    • iii) Equipment: The cost impact of equipment is covered in ISO/IEC 20085-1:2019 (requirements) and ISO/IEC 20085-2:2020 (calibration).

  • 2) This document aims to keep cost moderate. A threshold is reached in the assurance level up to a certain number of traces captured. The level of assurance does not increase significantly more beyond the threshold. The prescribed methodology cannot exceed a certain level of assurance by its design.