Security risk assessment

Security risk assessment is the way technological products see their security getting improved.
It is a mandated step in building trusted solutions, as it gives direction on security measures.
And more generally, has a big role to play in the mission of the global digital trust.

Performing a security risk assessment is about knowledge and methodology but some high level expertise is required to make it efficient and productive. Let’s see what makes a good security risk assessment.

Security risk assessment

The objective of the security risk assessment is to provide tools to product manufacturers allowing to reach a mastered level of security, aka corresponding to their expectation, aligned with their budget. Because the outcome of a security risk assessment is a diagnostic, linking a product, with the risk of attacks it could suffer and a set of recommendation to avoid it. The methodology used to perform such a report is based on the proven ISO 27 004 guide. It is suitable organization and technology product, or complex systems (composed of software, hardware and remote communication). Once the risk is shared, it is then up to the product manufacturer to implement partially or entirely the suggested measures, depending on their planning, budget, expected performances. So one should keep in mind that risk security assessment enables an objective information on security product level.

At any stage

Security risk assessment can start at any time in the lifecycle of a product. Either when the product is just a set of requirement or a specification from a standard. Or when it is under development. Or once being ready to be deliver to the customers. Obviously, for a good lifecycle planning management, it is interesting to address security risk assessment at least when the product is under development or earlier. Indeed, if a high risk, challenging the business of a product offer is discovered once the product is ready to be shipped, the loop towards redevelopment may disturb the product issuance date. That is the magic with security assessment, if the product is a specification, a draft code repository or a finalized product, security risk can be assessed, as it relies on a set of information, usually available at the design stage.

Mandating security expertise

The methodology for performing a security risk assessment is well known and described in standard. At Trusted Labs, we are using the Threat and Vulnerability Risk Assessment methodology. And what makes the methodology is actually the people and their expertise which will handle it. Indeed. That methodology requires to understand the most recent attacks and their propagation, together with the recent countermeasures issued by the security researcher community. This is why in Trusted Labs, most of the consultant are some senior security experts, involved in the researcher projects. Our people are contributing all year long to collaborative groups of experts, for example in the GSIS or in GlobalPlatform. By spending some time with the best security experts and supporting some university PhD, we do stay in contact with the real threats happening in the technology world, from embedded to hardware, up to network security, we stay updated.

Threat and Vulnerability Risk Assessment

The methodology used by Trusted Labs is based on a 4 steps approach. Each of the phase is including an open dialog with our customers.

One.

The definition of the scope, interfaces with the world and use cases, at any stage in the lifecycle of the product, from design to normal usage conditions. By documenting all those information, the context of usage of the product is canvassed accurately, allowing to go to the second steps.

Second.

The definition of the security objectives. Each critical asset to protect is identified, and the corresponding security properties are detailed (protection to insure confidentiality or integrity). Once the assets defined, all possible attacks techniques impacting the product will be listed, based on the security expertise of our consultants.

Third.

Sharing the security requirements. At this stage, the actual association of threat and risks is made. For each identified thread (for instance, a key is stolen, with this attack), an analysis work is conducted to evaluate the actual risk (relying on the feasibility of the attacks, and the probability that the attack actually succeed). From those threat and risks, a risk management plan is detailed, allowing the product manufacturer to place counter measure in his product or process. This is a list of security requirements which is transmitted and explained to the customer.

Fourth.

Residual risk. When Trusted Labs provide the security requirement and it is up to the customer to implement some or all the recommended actions. The last step of the risk security assessment is usually a second round of security evaluation, to identify the residual risks, once the product is ready to be delivered. This is allowing the product manufacturer to be fully aware of the actual risks taken and be prepared for the worth scenario.

What about security certification?

The security risk assessment, as described here are the basis of most of the standard security certification schemes. By conducting a security risk assessment, companies are increasing their chances to succeed in the certification process. One should know that most of the security labs and certification entities are in a constant exchange about methodology, recent attacks and learning sharing.