Using Fuzzing Metrics in Cybersecurity Conformity Self-Assessment and Certification (N13a)
The Cybersecurity Act seeks ‚ the measurable security of electronic products, systems, networks and services‚ whilst also noting that an assurance level ‚Äúas such does not measure the security of the ICT product, ICT service or ICT process concerned‚Äù. This dichotomy reflects the long-standing difficulty of making quantitative measurements of assurance. This talk will examine how intelligent fuzz testing is much more than just looking for crashes, and can be used to demonstrate both process assurance and functional assurance. It will look at how we can move much closer to quantitative metrics in assurance requirements that cover interface behaviour. The burden of demonstrating these metrics can be taken on by either a developer or evaluator; where the evidence is generated by a developer then it can be meaningfully checked by evaluators without needing to repeat the test effort. This makes the approach relevant to both conformity self-assessment and third party (evaluator) assessments, and justifies evolving fuzz testing requirements from appearing as an ‚e.g. to a baseline requirement.