Enhancing Security Testing via Automated Replication of IT-Asset Topologies

2013 International Conference on Availability, Reliability and Security Pub Date : 2013-11-07 DOI:10.1109/ARES.2013.46

H. Birkholz, Ingo Sieverdingbeck, N. Kuntze, C. Rudolph

{"title":"Enhancing Security Testing via Automated Replication of IT-Asset Topologies","authors":"H. Birkholz, Ingo Sieverdingbeck, N. Kuntze, C. Rudolph","doi":"10.1109/ARES.2013.46","DOIUrl":null,"url":null,"abstract":"Security testing of IT-infrastructure in a production environment can have a negative impact on business processes supported by IT-assets. A test bed can be used to provide an alternate testing environment in order to mitigate this impact. Unfortunately, for small and medium enterprises, maintaining a physical test bed and its consistency with the production environment is a cost-intensive task. In this paper, we present the Infrastructure Replication Process (IRP) and a corresponding Topology Editor, to provide a cost-efficient method that makes security testing in small and medium enterprises more feasible. We utilize a virtual environment as a test bed and provide a structured approach that takes into account the differences between a physical and a virtual environment. Open standards, such as SCAP, OVAL or XCCDF, and the utilization the Interconnected-asset Ontology-IO-support the integration of the IRP into existing (automated) processes. We use the implementation of a prototype to present a proof-of-concept that shows how typical challenges regarding security testing can be successfully mitigated via the IRP.","PeriodicalId":302747,"journal":{"name":"2013 International Conference on Availability, Reliability and Security","volume":"61 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2013.46","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Security testing of IT-infrastructure in a production environment can have a negative impact on business processes supported by IT-assets. A test bed can be used to provide an alternate testing environment in order to mitigate this impact. Unfortunately, for small and medium enterprises, maintaining a physical test bed and its consistency with the production environment is a cost-intensive task. In this paper, we present the Infrastructure Replication Process (IRP) and a corresponding Topology Editor, to provide a cost-efficient method that makes security testing in small and medium enterprises more feasible. We utilize a virtual environment as a test bed and provide a structured approach that takes into account the differences between a physical and a virtual environment. Open standards, such as SCAP, OVAL or XCCDF, and the utilization the Interconnected-asset Ontology-IO-support the integration of the IRP into existing (automated) processes. We use the implementation of a prototype to present a proof-of-concept that shows how typical challenges regarding security testing can be successfully mitigated via the IRP.

查看原文本刊更多论文

通过自动复制it资产拓扑来增强安全性测试

在生产环境中对it基础设施进行安全测试可能会对it资产支持的业务流程产生负面影响。测试平台可用于提供替代测试环境，以减轻这种影响。不幸的是，对于中小型企业来说，维护物理测试平台及其与生产环境的一致性是一项成本密集的任务。在本文中，我们介绍了基础设施复制过程(IRP)和相应的拓扑编辑器，以提供一种经济有效的方法，使中小型企业的安全测试更加可行。我们利用虚拟环境作为测试平台，并提供一种考虑到物理环境和虚拟环境之间差异的结构化方法。开放标准，如SCAP、OVAL或XCCDF，以及互联资产本体(io)的利用，支持将IRP集成到现有(自动化)流程中。我们使用一个原型的实现来展示一个概念证明，它展示了如何通过IRP成功地缓解与安全测试相关的典型挑战。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 International Conference on Availability, Reliability and Security

自引率

0.00%

发文量