SlideShare uma empresa Scribd logo

Security Certification - Critical Review

ISA Interchange
ISA Interchange
TecnologiaNegócios
1 de 12
Baixar para ler offline
Copyright 2010 ISA. All Rights Reserved. Security Certification – A Critical Review Dr. Ragnar Schierholz Kevin McGrath Standards Certification ABB Corporate Research Education & Training Publishing Conferences & Exhibits Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org
Presenter Copyright 2010 ISA. All Rights Reserved. Dr. Ragnar Schierholz Kevin McGrath • Research Area Coordinator for • Technical lead for security in Secure Remote Service ABB’s Industrial Communication Infrastructure in ABB’s Industrial research program Software Systems research • R&D project manager for program technology development • Voting member of ISA 99 projects committee representing ABB Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 2
Outline Copyright 2010 ISA. All Rights Reserved. • Background • Security certification explained – Economic fundamentals – History of certification – (Current approaches in industrial automation) • Analysis – Learn from the past • Conclusions Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 3
Background Copyright 2010 ISA. All Rights Reserved. • Security standardization – Setting a minimum level of acceptable security – Enabling technical interoperability • Information asymmetry & market failure – «Market actors having imperfect, asymmetric information» is one condition which can lead to market failure – Hidden characteristics – Hidden action/information – Hidden intention – Security properties of a product are difficult to assess for a customer (hidden characteristics) Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 4
Security certification explained Copyright 2010 ISA. All Rights Reserved. Economics Transaction cost economics Principal-Agent theory • Allocate different costs to • Explains effects of con- different stages of a market flicting interests under transaction asymmetric information and suggests governance Stage Examples for associated activities and costs models Initiation identification of transaction partners, e.g. marketing (on the vendor’s side) and product/supplier search and comparison – Conflicts: (on consumers’ side) – Moral hazard Negotiation consulting and administrative costs for contract closure, coordination costs in specification, delivery planning, etc. – Adverse selection Settlement costs for product delivery, management of the exchange of – Hold-up products and payments, validation of delivery and payment – Governance models Monitoring monitoring of quality and timeliness of transaction execution – Signalling/Screening Adjustment modification of contracts according to changes in requirements – Self selection – Institutional hierarchy Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 5
Security certification explained Copyright 2010 ISA. All Rights Reserved. History of certification Certification of cyber security properties of software products has been attempted in other industries – Trusted Computer System Evaluation Criteria (TCSEC or Orange Book) – US Government initiative for systems used by government agencies – Characteristics – Direct interaction between government (NSA) and product vendor – Test of systems in their context of use (incl. security organization) – NSA tested against different sets of defined requirements (higher level of certification means more comprehensive or stronger requirements) – Expensive, long testing procedures Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 6
Security certification explained Copyright 2010 ISA. All Rights Reserved. History of certification Certification of cyber security properties of software products has been attempted in other industries – Information Technology Security Evaluation Criteria (ITSEC) / IEC 15408 (Common Criteria) – EU driven initiative, now internationally standardized, generic certification of software product security – Characteristics – Tests against profiles selected/defined by product vendor (Protection Profile, Security Target, Security Function Requirements, Security Assurance Requirements) – Tested by independent certification labs, accredited for certification (Commercial Licensed Evaluation Facility - CLEF) – Certification levels (EALs) depend on rigor of test procedure – not on different product requirements – Cost of certification depends on certification lab’s procedures Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 7
Security certification explained Copyright 2010 ISA. All Rights Reserved. History of certification Certification of cyber security properties of software products has been attempted in other industries – ISO/IEC 27000 series – International standard for certification of generic system security – Characteristics – Test of systems in their context of use (incl. security organization) – Guidelines of testing / auditing defined in standard – Cost of certification depends on auditor’s procedures – No certification levels, pass/fail certification Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 8
Security certification explained Copyright 2010 ISA. All Rights Reserved. Current approaches in industrial automation • Several certification approaches exist or are being developed in the automation industry – Wurldtech Achilles Communication Certification (ACC) – Wurldtech Achilles Practices Certification (APC) – MuDynamics MUSIC certification – Exiday Integrity Certification – ISCI ISASecure Certification (EDSA) • More on this from the other speakers in this session Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 9
Analysis Copyright 2010 ISA. All Rights Reserved. • Issues found with certification programs (to learn from the history, not to repeat it) – Certification criteria – Must be meaningful measurements of actual security property1 – Must be transparent so the principal can check for fit – Must take the context of use into account – Race to the bottom – Certification labs only compete on price, but have no liability – Incentive is to reduce cost by lax testing / auditing – Adverse selection – Only vendors who can’t demonstrate security with more meaningful (possibly more expensive) signals will pursue certification – Lifecycle coverage – Recertification dilemma with new vulnerabilities or attack paths Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 1See also S. Pfleeger and R. Cunningham, "Why Measuring Security Is Hard," IEEE Security & Privacy Magazine, vol. 8, 2010, pp. 46-54. 10 and further references in the paper
Conclusions Copyright 2010 ISA. All Rights Reserved. • Security is not only a technical matter • Economic theories explaining the environment and suggesting solutions are out there – Transaction cost economics – Principal-agent theory • Certification of security properties is one approach – Has been tried several times and has failed (almost) as often – Learn from mistakes, don’t repeat them • Don’t forget alternative approaches – Leverage the characteristics of the automation domain – Large, few market actors where individual interaction is common – Framework contracts reduce the frequency of transactions Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 11
Questions? Copyright 2010 ISA. All Rights Reserved. Ask now or contact us later! Dr. Ragnar Schierholz Principal Scientist Industrial Software Systems ABB Switzerland Corporate Research Segelhofstr. 1K CH-5405 Baden 5 Dättwil Phone +41 58 586 82 97 E-Mail ragnar.schierholz@ch.abb.com Kevin McGrath Scientist Industrial Communication ABB Norway Corporate Research Bergerveien 12 NO-1375 Billingstad Phone +47 22 874 624 E-Mailby ISAkevin.mcgrath@no.abb.com Week 2010; http://www.isa.org Distributed with permission of author(s) 2010 Presented at ISA Automation 12

Recomendados

Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsReliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsArrelic
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security CertificationsNithin Sai
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 

Recomendados

Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsReliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic InsightsArrelic
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security CertificationsNithin Sai
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
ExecBriefFinal
ExecBriefFinalExecBriefFinal
ExecBriefFinalSteve Cochennet
 
Edgilis principles of isa may11
Edgilis principles of isa may11Edgilis principles of isa may11
Edgilis principles of isa may11Max Armbruster
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture FrameworkMohamed Ridha CHEBBI, CISSP
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
 
Common Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardCommon Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardAmy Nicewick, CISSP, CCSP, CEH
 
The Future of Security Architecture Certification
The Future of Security Architecture CertificationThe Future of Security Architecture Certification
The Future of Security Architecture Certificationdanb02
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRobert Kloots
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
AccelOps & SOC-NOC Convergence
AccelOps & SOC-NOC ConvergenceAccelOps & SOC-NOC Convergence
AccelOps & SOC-NOC ConvergenceStephen Tsuchiyama
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Uac sales pres_20_apr09-2
Uac sales pres_20_apr09-2Uac sales pres_20_apr09-2
Uac sales pres_20_apr09-2lousifers
 
2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control frameworkasundaram1
 
Wind River For Medical
Wind River For MedicalWind River For Medical
Wind River For Medicalsheilamia
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...North Texas Chapter of the ISSA
 

Mais conteúdo relacionado

Mais procurados

Edgilis principles of isa may11
Edgilis principles of isa may11Edgilis principles of isa may11
Edgilis principles of isa may11Max Armbruster
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
 
Common Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardCommon Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardAmy Nicewick, CISSP, CCSP, CEH
 
The Future of Security Architecture Certification
The Future of Security Architecture CertificationThe Future of Security Architecture Certification
The Future of Security Architecture Certificationdanb02
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRobert Kloots
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
AccelOps & SOC-NOC Convergence
AccelOps & SOC-NOC ConvergenceAccelOps & SOC-NOC Convergence
AccelOps & SOC-NOC ConvergenceStephen Tsuchiyama
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Uac sales pres_20_apr09-2
Uac sales pres_20_apr09-2Uac sales pres_20_apr09-2
Uac sales pres_20_apr09-2lousifers
 
2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control frameworkasundaram1
 
Wind River For Medical
Wind River For MedicalWind River For Medical
Wind River For Medicalsheilamia
 

Mais procurados (20)

ExecBriefFinal
ExecBriefFinalExecBriefFinal
ExecBriefFinal
 
Edgilis principles of isa may11
Edgilis principles of isa may11Edgilis principles of isa may11
Edgilis principles of isa may11
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual Framework
 
Common Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardCommon Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic Standard
 
The Future of Security Architecture Certification
The Future of Security Architecture CertificationThe Future of Security Architecture Certification
The Future of Security Architecture Certification
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spain
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
AccelOps & SOC-NOC Convergence
AccelOps & SOC-NOC ConvergenceAccelOps & SOC-NOC Convergence
AccelOps & SOC-NOC Convergence
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
Uac sales pres_20_apr09-2
Uac sales pres_20_apr09-2Uac sales pres_20_apr09-2
Uac sales pres_20_apr09-2
 
2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework
 
Wind River For Medical
Wind River For MedicalWind River For Medical
Wind River For Medical
 

Destaque

Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...North Texas Chapter of the ISSA
 
Robust sdre filter design for nonlinear uncertain systems with an h performan...
Robust sdre filter design for nonlinear uncertain systems with an h performan...Robust sdre filter design for nonlinear uncertain systems with an h performan...
Robust sdre filter design for nonlinear uncertain systems with an h performan...ISA Interchange
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification OverviewAl Imran, CISA
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamNUS-ISS
 
Ipr, Intellectual Property Rights
Ipr, Intellectual Property RightsIpr, Intellectual Property Rights
Ipr, Intellectual Property RightsVikram Dahiya
 

Destaque (12)

Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
 
Robust sdre filter design for nonlinear uncertain systems with an h performan...
Robust sdre filter design for nonlinear uncertain systems with an h performan...Robust sdre filter design for nonlinear uncertain systems with an h performan...
Robust sdre filter design for nonlinear uncertain systems with an h performan...
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Evolution Of IPR
Evolution Of IPREvolution Of IPR
Evolution Of IPR
 
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon NamCOBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam
 
Ipr, Intellectual Property Rights
Ipr, Intellectual Property RightsIpr, Intellectual Property Rights
Ipr, Intellectual Property Rights
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - Foundation
 
TYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CLTYBSC IT SEM 6 IPR/CL
TYBSC IT SEM 6 IPR/CL
 
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
 

Semelhante a Security Certification - Critical Review

Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutionsakshayvreddy
 
Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0Reddy Marri
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework Raleigh ISSA
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationJaipal Naidu
 
BrownResearch_CV
BrownResearch_CVBrownResearch_CV
BrownResearch_CVAbby Brown
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012Jimmy Saigon
 
Service Oriented Approach to Application Modernization sept 2010
Service Oriented Approach to Application Modernization sept 2010Service Oriented Approach to Application Modernization sept 2010
Service Oriented Approach to Application Modernization sept 2010davemayo
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksPriyanka Aash
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
White Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device EvaluationWhite Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device EvaluationIxia
 
Posecco clustering meeting
Posecco clustering meetingPosecco clustering meeting
Posecco clustering meetingfcleary
 
Directory of-infosec-assured-products
Directory of-infosec-assured-productsDirectory of-infosec-assured-products
Directory of-infosec-assured-productsbertram_wooster
 
ISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementPhil Griffin
 

Semelhante a Security Certification - Critical Review (20)

Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutions
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0Axxera Security Solutions Ver 2.0
Axxera Security Solutions Ver 2.0
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
 
BrownResearch_CV
BrownResearch_CVBrownResearch_CV
BrownResearch_CV
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
 
Service Oriented Approach to Application Modernization sept 2010
Service Oriented Approach to Application Modernization sept 2010Service Oriented Approach to Application Modernization sept 2010
Service Oriented Approach to Application Modernization sept 2010
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & Frameworks
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1
 
White Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device EvaluationWhite Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device Evaluation
 
Posecco clustering meeting
Posecco clustering meetingPosecco clustering meeting
Posecco clustering meeting
 
Axxera
AxxeraAxxera
Axxera
 
Directory of-infosec-assured-products
Directory of-infosec-assured-productsDirectory of-infosec-assured-products
Directory of-infosec-assured-products
 
Axxera Ppt
Axxera PptAxxera Ppt
Axxera Ppt
 
ISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security Management
 
Iio t security std
Iio t security stdIio t security std
Iio t security std
 
Security testing
Security testingSecurity testing
Security testing
 

Mais de ISA Interchange

An optimal general type-2 fuzzy controller for Urban Traffic Network
An optimal general type-2 fuzzy controller for Urban Traffic NetworkAn optimal general type-2 fuzzy controller for Urban Traffic Network
An optimal general type-2 fuzzy controller for Urban Traffic NetworkISA Interchange
 
Embedded intelligent adaptive PI controller for an electromechanical system
Embedded intelligent adaptive PI controller for an electromechanical systemEmbedded intelligent adaptive PI controller for an electromechanical system
Embedded intelligent adaptive PI controller for an electromechanical systemISA Interchange
 
State of charge estimation of lithium-ion batteries using fractional order sl...
State of charge estimation of lithium-ion batteries using fractional order sl...State of charge estimation of lithium-ion batteries using fractional order sl...
State of charge estimation of lithium-ion batteries using fractional order sl...ISA Interchange
 
Fractional order PID for tracking control of a parallel robotic manipulator t...
Fractional order PID for tracking control of a parallel robotic manipulator t...Fractional order PID for tracking control of a parallel robotic manipulator t...
Fractional order PID for tracking control of a parallel robotic manipulator t...ISA Interchange
 
Fuzzy logic for plant-wide control of biological wastewater treatment process...
Fuzzy logic for plant-wide control of biological wastewater treatment process...Fuzzy logic for plant-wide control of biological wastewater treatment process...
Fuzzy logic for plant-wide control of biological wastewater treatment process...ISA Interchange
 
Design and implementation of a control structure for quality products in a cr...
Design and implementation of a control structure for quality products in a cr...Design and implementation of a control structure for quality products in a cr...
Design and implementation of a control structure for quality products in a cr...ISA Interchange
 
Model based PI power system stabilizer design for damping low frequency oscil...
Model based PI power system stabilizer design for damping low frequency oscil...Model based PI power system stabilizer design for damping low frequency oscil...
Model based PI power system stabilizer design for damping low frequency oscil...ISA Interchange
 
A comparison of a novel robust decentralized control strategy and MPC for ind...
A comparison of a novel robust decentralized control strategy and MPC for ind...A comparison of a novel robust decentralized control strategy and MPC for ind...
A comparison of a novel robust decentralized control strategy and MPC for ind...ISA Interchange
 
Fault detection of feed water treatment process using PCA-WD with parameter o...
Fault detection of feed water treatment process using PCA-WD with parameter o...Fault detection of feed water treatment process using PCA-WD with parameter o...
Fault detection of feed water treatment process using PCA-WD with parameter o...ISA Interchange
 
Model-based adaptive sliding mode control of the subcritical boiler-turbine s...
Model-based adaptive sliding mode control of the subcritical boiler-turbine s...Model-based adaptive sliding mode control of the subcritical boiler-turbine s...
Model-based adaptive sliding mode control of the subcritical boiler-turbine s...ISA Interchange
 
A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...
A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...
A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...ISA Interchange
 
An artificial intelligence based improved classification of two-phase flow patte...
An artificial intelligence based improved classification of two-phase flow patte...An artificial intelligence based improved classification of two-phase flow patte...
An artificial intelligence based improved classification of two-phase flow patte...ISA Interchange
 
New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...
New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...
New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...ISA Interchange
 
Load estimator-based hybrid controller design for two-interleaved boost conve...
Load estimator-based hybrid controller design for two-interleaved boost conve...Load estimator-based hybrid controller design for two-interleaved boost conve...
Load estimator-based hybrid controller design for two-interleaved boost conve...ISA Interchange
 
Effects of Wireless Packet Loss in Industrial Process Control Systems
Effects of Wireless Packet Loss in Industrial Process Control SystemsEffects of Wireless Packet Loss in Industrial Process Control Systems
Effects of Wireless Packet Loss in Industrial Process Control SystemsISA Interchange
 
Fault Detection in the Distillation Column Process
Fault Detection in the Distillation Column ProcessFault Detection in the Distillation Column Process
Fault Detection in the Distillation Column ProcessISA Interchange
 
Neural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank System
Neural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank SystemNeural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank System
Neural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank SystemISA Interchange
 
A KPI-based process monitoring and fault detection framework for large-scale ...
A KPI-based process monitoring and fault detection framework for large-scale ...A KPI-based process monitoring and fault detection framework for large-scale ...
A KPI-based process monitoring and fault detection framework for large-scale ...ISA Interchange
 
An adaptive PID like controller using mix locally recurrent neural network fo...
An adaptive PID like controller using mix locally recurrent neural network fo...An adaptive PID like controller using mix locally recurrent neural network fo...
An adaptive PID like controller using mix locally recurrent neural network fo...ISA Interchange
 
A method to remove chattering alarms using median filters
A method to remove chattering alarms using median filtersA method to remove chattering alarms using median filters
A method to remove chattering alarms using median filtersISA Interchange
 

Mais de ISA Interchange (20)

An optimal general type-2 fuzzy controller for Urban Traffic Network
An optimal general type-2 fuzzy controller for Urban Traffic NetworkAn optimal general type-2 fuzzy controller for Urban Traffic Network
An optimal general type-2 fuzzy controller for Urban Traffic Network
 
Embedded intelligent adaptive PI controller for an electromechanical system
Embedded intelligent adaptive PI controller for an electromechanical systemEmbedded intelligent adaptive PI controller for an electromechanical system
Embedded intelligent adaptive PI controller for an electromechanical system
 
State of charge estimation of lithium-ion batteries using fractional order sl...
State of charge estimation of lithium-ion batteries using fractional order sl...State of charge estimation of lithium-ion batteries using fractional order sl...
State of charge estimation of lithium-ion batteries using fractional order sl...
 
Fractional order PID for tracking control of a parallel robotic manipulator t...
Fractional order PID for tracking control of a parallel robotic manipulator t...Fractional order PID for tracking control of a parallel robotic manipulator t...
Fractional order PID for tracking control of a parallel robotic manipulator t...
 
Fuzzy logic for plant-wide control of biological wastewater treatment process...
Fuzzy logic for plant-wide control of biological wastewater treatment process...Fuzzy logic for plant-wide control of biological wastewater treatment process...
Fuzzy logic for plant-wide control of biological wastewater treatment process...
 
Design and implementation of a control structure for quality products in a cr...
Design and implementation of a control structure for quality products in a cr...Design and implementation of a control structure for quality products in a cr...
Design and implementation of a control structure for quality products in a cr...
 
Model based PI power system stabilizer design for damping low frequency oscil...
Model based PI power system stabilizer design for damping low frequency oscil...Model based PI power system stabilizer design for damping low frequency oscil...
Model based PI power system stabilizer design for damping low frequency oscil...
 
A comparison of a novel robust decentralized control strategy and MPC for ind...
A comparison of a novel robust decentralized control strategy and MPC for ind...A comparison of a novel robust decentralized control strategy and MPC for ind...
A comparison of a novel robust decentralized control strategy and MPC for ind...
 
Fault detection of feed water treatment process using PCA-WD with parameter o...
Fault detection of feed water treatment process using PCA-WD with parameter o...Fault detection of feed water treatment process using PCA-WD with parameter o...
Fault detection of feed water treatment process using PCA-WD with parameter o...
 
Model-based adaptive sliding mode control of the subcritical boiler-turbine s...
Model-based adaptive sliding mode control of the subcritical boiler-turbine s...Model-based adaptive sliding mode control of the subcritical boiler-turbine s...
Model-based adaptive sliding mode control of the subcritical boiler-turbine s...
 
A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...
A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...
A Proportional Integral Estimator-Based Clock Synchronization Protocol for Wi...
 
An artificial intelligence based improved classification of two-phase flow patte...
An artificial intelligence based improved classification of two-phase flow patte...An artificial intelligence based improved classification of two-phase flow patte...
An artificial intelligence based improved classification of two-phase flow patte...
 
New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...
New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...
New Method for Tuning PID Controllers Using a Symmetric Send-On-Delta Samplin...
 
Load estimator-based hybrid controller design for two-interleaved boost conve...
Load estimator-based hybrid controller design for two-interleaved boost conve...Load estimator-based hybrid controller design for two-interleaved boost conve...
Load estimator-based hybrid controller design for two-interleaved boost conve...
 
Effects of Wireless Packet Loss in Industrial Process Control Systems
Effects of Wireless Packet Loss in Industrial Process Control SystemsEffects of Wireless Packet Loss in Industrial Process Control Systems
Effects of Wireless Packet Loss in Industrial Process Control Systems
 
Fault Detection in the Distillation Column Process
Fault Detection in the Distillation Column ProcessFault Detection in the Distillation Column Process
Fault Detection in the Distillation Column Process
 
Neural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank System
Neural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank SystemNeural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank System
Neural Network-Based Actuator Fault Diagnosis for a Non-Linear Multi-Tank System
 
A KPI-based process monitoring and fault detection framework for large-scale ...
A KPI-based process monitoring and fault detection framework for large-scale ...A KPI-based process monitoring and fault detection framework for large-scale ...
A KPI-based process monitoring and fault detection framework for large-scale ...
 
An adaptive PID like controller using mix locally recurrent neural network fo...
An adaptive PID like controller using mix locally recurrent neural network fo...An adaptive PID like controller using mix locally recurrent neural network fo...
An adaptive PID like controller using mix locally recurrent neural network fo...
 
A method to remove chattering alarms using median filters
A method to remove chattering alarms using median filtersA method to remove chattering alarms using median filters
A method to remove chattering alarms using median filters
 

Último

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Último (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Security Certification - Critical Review

  • 1. Copyright 2010 ISA. All Rights Reserved. Security Certification – A Critical Review Dr. Ragnar Schierholz Kevin McGrath Standards Certification ABB Corporate Research Education & Training Publishing Conferences & Exhibits Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org
  • 2. Presenter Copyright 2010 ISA. All Rights Reserved. Dr. Ragnar Schierholz Kevin McGrath • Research Area Coordinator for • Technical lead for security in Secure Remote Service ABB’s Industrial Communication Infrastructure in ABB’s Industrial research program Software Systems research • R&D project manager for program technology development • Voting member of ISA 99 projects committee representing ABB Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 2
  • 3. Outline Copyright 2010 ISA. All Rights Reserved. • Background • Security certification explained – Economic fundamentals – History of certification – (Current approaches in industrial automation) • Analysis – Learn from the past • Conclusions Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 3
  • 4. Background Copyright 2010 ISA. All Rights Reserved. • Security standardization – Setting a minimum level of acceptable security – Enabling technical interoperability • Information asymmetry & market failure – «Market actors having imperfect, asymmetric information» is one condition which can lead to market failure – Hidden characteristics – Hidden action/information – Hidden intention – Security properties of a product are difficult to assess for a customer (hidden characteristics) Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 4
  • 5. Security certification explained Copyright 2010 ISA. All Rights Reserved. Economics Transaction cost economics Principal-Agent theory • Allocate different costs to • Explains effects of con- different stages of a market flicting interests under transaction asymmetric information and suggests governance Stage Examples for associated activities and costs models Initiation identification of transaction partners, e.g. marketing (on the vendor’s side) and product/supplier search and comparison – Conflicts: (on consumers’ side) – Moral hazard Negotiation consulting and administrative costs for contract closure, coordination costs in specification, delivery planning, etc. – Adverse selection Settlement costs for product delivery, management of the exchange of – Hold-up products and payments, validation of delivery and payment – Governance models Monitoring monitoring of quality and timeliness of transaction execution – Signalling/Screening Adjustment modification of contracts according to changes in requirements – Self selection – Institutional hierarchy Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 5
  • 6. Security certification explained Copyright 2010 ISA. All Rights Reserved. History of certification Certification of cyber security properties of software products has been attempted in other industries – Trusted Computer System Evaluation Criteria (TCSEC or Orange Book) – US Government initiative for systems used by government agencies – Characteristics – Direct interaction between government (NSA) and product vendor – Test of systems in their context of use (incl. security organization) – NSA tested against different sets of defined requirements (higher level of certification means more comprehensive or stronger requirements) – Expensive, long testing procedures Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 6
  • 7. Security certification explained Copyright 2010 ISA. All Rights Reserved. History of certification Certification of cyber security properties of software products has been attempted in other industries – Information Technology Security Evaluation Criteria (ITSEC) / IEC 15408 (Common Criteria) – EU driven initiative, now internationally standardized, generic certification of software product security – Characteristics – Tests against profiles selected/defined by product vendor (Protection Profile, Security Target, Security Function Requirements, Security Assurance Requirements) – Tested by independent certification labs, accredited for certification (Commercial Licensed Evaluation Facility - CLEF) – Certification levels (EALs) depend on rigor of test procedure – not on different product requirements – Cost of certification depends on certification lab’s procedures Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 7
  • 8. Security certification explained Copyright 2010 ISA. All Rights Reserved. History of certification Certification of cyber security properties of software products has been attempted in other industries – ISO/IEC 27000 series – International standard for certification of generic system security – Characteristics – Test of systems in their context of use (incl. security organization) – Guidelines of testing / auditing defined in standard – Cost of certification depends on auditor’s procedures – No certification levels, pass/fail certification Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 8
  • 9. Security certification explained Copyright 2010 ISA. All Rights Reserved. Current approaches in industrial automation • Several certification approaches exist or are being developed in the automation industry – Wurldtech Achilles Communication Certification (ACC) – Wurldtech Achilles Practices Certification (APC) – MuDynamics MUSIC certification – Exiday Integrity Certification – ISCI ISASecure Certification (EDSA) • More on this from the other speakers in this session Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 9
  • 10. Analysis Copyright 2010 ISA. All Rights Reserved. • Issues found with certification programs (to learn from the history, not to repeat it) – Certification criteria – Must be meaningful measurements of actual security property1 – Must be transparent so the principal can check for fit – Must take the context of use into account – Race to the bottom – Certification labs only compete on price, but have no liability – Incentive is to reduce cost by lax testing / auditing – Adverse selection – Only vendors who can’t demonstrate security with more meaningful (possibly more expensive) signals will pursue certification – Lifecycle coverage – Recertification dilemma with new vulnerabilities or attack paths Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 1See also S. Pfleeger and R. Cunningham, "Why Measuring Security Is Hard," IEEE Security & Privacy Magazine, vol. 8, 2010, pp. 46-54. 10 and further references in the paper
  • 11. Conclusions Copyright 2010 ISA. All Rights Reserved. • Security is not only a technical matter • Economic theories explaining the environment and suggesting solutions are out there – Transaction cost economics – Principal-agent theory • Certification of security properties is one approach – Has been tried several times and has failed (almost) as often – Learn from mistakes, don’t repeat them • Don’t forget alternative approaches – Leverage the characteristics of the automation domain – Large, few market actors where individual interaction is common – Framework contracts reduce the frequency of transactions Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 11
  • 12. Questions? Copyright 2010 ISA. All Rights Reserved. Ask now or contact us later! Dr. Ragnar Schierholz Principal Scientist Industrial Software Systems ABB Switzerland Corporate Research Segelhofstr. 1K CH-5405 Baden 5 Dättwil Phone +41 58 586 82 97 E-Mail ragnar.schierholz@ch.abb.com Kevin McGrath Scientist Industrial Communication ABB Norway Corporate Research Bergerveien 12 NO-1375 Billingstad Phone +47 22 874 624 E-Mailby ISAkevin.mcgrath@no.abb.com Week 2010; http://www.isa.org Distributed with permission of author(s) 2010 Presented at ISA Automation 12