Human intelligence-based security evaluation
One good approach of identifying security problems is to think with a hacker’s mind. Human intelligence is able find security problems on different abstraction levels including specification, design or implementation. Our methodology is made up of the following activities:
- Threat modeling from both the attacker and assets point of view
- Definition of security assets and their important security properties based on the CIA triad principle
- Visual representation of the various attacks using the Attack tree methodology
- Collection of possible misuse-cases
- Individual analysis of each relevant threat
- Recommendations
- Risk analysis
Advantages
- Flexible: Performs well with any IT system, embedded products, their software and hardware components
- Scalable: Can build up from some ten to a hundred evaluation steps
- Intelligent: Reveals security issues needing a human approach to be found
