Product Incremental Security Risk Assessment using DevSecOps Practices. Sébastien Dupont, Artsiom Yautsiukhin, Guillaume Ginis, Giacomo Iadarola, Stefano Fagnano, Fabio Martinelli, Christophe Ponsard, Axel Legay and Philippe Massonet
This paper was presented at the Security assurance techniques session of the European Symposium on Research in Computer Security (ESORICS) 2022 conference.
An important challenge for product certification is dealing with product evolution : now that critical applications and infrastructures are connected they are being updated on a more frequent basis. To ensure continuity of certification, updates must be analysed to verify the impact on certified cybersecurity properties. Impacted properties need to be re-certified. This paper proposes a lightweight and flexible incremental certification process that can be integrated with DevSecOps practices to automate as much as possible evidence gathering and certification activities. The approach is illustrated on the Common Criteria product certification scheme and a firewall update on an automotive case study. Only the impact analysis phase of the incremental certification process is illustrated.
Voir en ligne : https://www.ntnu.edu/secassure/