As part of the preparedness support, the first main step requires the development of specialised methodologies tailored for penetration testing, vulnerability assessments, and essential entity testing. These methodologies provide a structured approach to identifying vulnerabilities and assessing cybersecurity readiness, resulting in robust methodologies and baselines for the continuation of this and the next sections. To ensure compliance and to evaluate the impact of these methodologies, the regulatory frameworks available will be assessed. The expected results are to provide clear instructions for applying methodologies that align with the most relevant cybersecurity regulations and standards.
A diverse set of scenarios covering various cybersecurity domains will be subsequently defined. This effort will result in a comprehensive scenario library, serving as the foundation for testing and preparedness activities. Complementary to these tasks, it will be fundamental to identify and select a set of the most suitable digital tools and infrastructures for efficiently executing the pre-established testing scenarios and methodologies. As part of the preparedness activities, standardised and adapted cyber-range capabilities will be defined. The expectation is to provide customised cyber-range capabilities aligned with the project-specific requirements. The definition of these capabilities, in combination with the scenarios and the methodologies defined, will lead to the execution of real-world exercises, simulating cyber threats and vulnerabilities. The practical experience will represent an effective enhancement of the readiness of the project participants. The outcomes will result in evaluations of the effectiveness of deployments, adoptions of the most successful scenarios, and the development of practical use cases. The outcomes from this entire section, packaged as a valuable combination of insights and recommendations, will serve as the foundation for establishing the baselines and guide the interaction with the open calls in the subsequent sections.
Domains of interest
- application security: including but not limited to web applications, mobile applications, other device and appliances applications
- hardware security: including but not limited to both controller systems and subsystems, I/O components, GPU/CPUs, …
- network security: including, but not limited to network components such as firewalls, IDS/IPS, switches, routers, IoT-devices, …
- cloud security: including, but not limited to cloud system setting, cloud based applications, cloud data transfers,
- system security: including but not limited to the interconnections of two or more hardware appliances, or two or more applications with others, monitoring and assessments on system level, environmental interactions, …
- other types of systems
Existing Methodologies
- Open-Source Security Testing Methodology Manual (v3) (OSSTMM) : more information on https://isecom.org/research.html#content5-9d
- Open Web Application Security Project (OWASP) v4 and the development of v5 https://github.com/wisec/OWASP-Testing-Guide-v5
- Penetration Testing Execution Standard (PTES) : https://pentest-standard.readthedocs.io/en/latest/tree.html#
- Information System Security Assessment Framework (ISSAF) – CompTIA Pentest
- NIST pentesting guidance (NIST)
- …
These methodologies are there to guide experts and organisations wishing to apply for the CYSSDE Open Calls.
Looking for talent, expertise, new approaches and experiments.