2

Assume that I have identified certain vulnerabilities in a system and I have developed a security architecture to defend it.

How could I properly validate my architecture (to prove that it does indeed work)? Someone mentioned to me that a method could be using RTOS, but I cannot entirely understand how this would validate my system.

Any thoughts?

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
Irene Ant
  • 659
  • 7
  • 19

1 Answers1

3

At the end security is a just a fix like any other, its effectiveness can therefore be tested the usual way you could test any fix:

  1. Test the vulnerabilities while your security is not installed or is disabled and confirm that the environment is indeed vulnerable.
  2. Enable/apply the security system.
  3. Test again in the same conditions, and confirm that the vulnerability is not exploitable anymore.

Do not fall into the trap of skipping the step 1: it is essential to concretely ensure that your test can effectively demonstrate the presence of the issue. Too often people only do the steps 2 and 3, but for some reason their tests while possibly good in theory may not be effective in the real world (environment specificities, unknown side-effects, etc.). This is often how one can end-up implementing useless fixes.

The only thing specific to security is that these testing phases may require the use of specific knowledge and tools, but since you seem to say you have already identified these vulnerabilities and designed a potential mitigation solution then I suppose that in the worst case a few web searches should be sufficient to bring you all missing parts.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104