Update on Open-Ended Vulnerability Testing for EAC Certification
This update discusses the latest research related to Open-Ended Vulnerability Testing (OEVT) methodology as outlined in the VVSG 2.0, aimed at enhancing the EAC certification process for voting systems. Key issues addressed include the cost, repeatability, and effectiveness of various methodologies, such as security assertion and fault analysis. The update emphasizes the need for expert penetration testers and suggests integrating best practices from multiple methodologies. It also covers resource allocation, system design quality, known vulnerabilities, and the role of review panels in ensuring uniformity in OEVT execution.
Update on Open-Ended Vulnerability Testing for EAC Certification
E N D
Presentation Transcript
Open Ended Vulnerability Testing Update Nelson Hastings National Institute of Standards and Technology http://vote.nist.gov
Motivation • The VVSG 2.0 provides open ended vulnerability testing (OEVT) as a test methodology • Update on research related to OEVT to support EAC certification program • Key issues: Cost and Repeatability
Methodologies Flaw hypotheses Security assertion based hypotheses Security fault analysis Ad hoc penetration testing No one methodology is satisfying, use the best aspects of each methodology Research
Keys to Quality OEVT Penetration tester experience and expertise Input to the testing Areas of investigation Allocation of resources Research
Develop OEVT methodology for voting systems Based on best features of the different methodologies How to use a review panel to help uniformity in OEVT Review of OEVT tester qualification Provide input during execution of OEVT Determining resources needed for OEVT Function of system design and implementation quality Function of known vulnerabilities Next Steps
