Our approach: Protect against the widest range of attacks
The PROSA approach is based on modeling behaviour and communication through your solution using a Domain-Specific Language (DSL) with which the logic and critical-security areas of the system under development can be represented. This semantics covers all aspects relevant to IT security in applications and layers of applications. This model can be either be integrated directly into your source code or be a separate model.
Based on the model developed the following a testing process is carried out:
- Scope is identified through documentation review and interviews giving a first idea of the critical sections. This step benefits from a network representation of the underlying systems.
- Modelling relies on further documentation review to obtain detailed systems behaviour, uniform documentation, and to eliminate implementation errors.
- Security Requirements are identified and validated. This contains confidentiality and integrity goals of the model.
- Threats include the completion of eavesdropper simulations and attack landscaping. At this stage the full, active and passive, attack spectrum is used. As a result, possible threats are documented (description of attack behaviour).
- Risk Analysis contains a threats overview together with decision-making priorities. Risk documentation for each attack is generated.
With regulatory requirements such as the Payment Services Directive 2 (PSD2) we can help you identify the security requirements that are relevant to your solution. By following the PROSA approach you can link the regulatory requirements to a risk analysis of potential threats, which lets you prove that your solution is secure.
Saving money and improving code quality with PROSA
- listen in on communication between your systems
- modify data sent to or from your systems
- change or destroy data locally on a system
- have access to crypto-keys, e.g. from an attack on onboarding
PROSA compared with traditional methods
|Traditional approach||PROSA approach||Effect from PROSA estimate|
|Modelling||500-3000 pages of informal description, fragmented, on a component-by-component level||3-10A4 pages with a precise, formal system description||20x faster understanding of systemf or new employees|
|Security requiremnets||General requirements, imprecise, not connected to concrete assets||Precise description of assets and security goals||4x more requirements|
|Issues||Semi-manual and expert based||Precise description of issues, dynamic simulations of attacks||10 more threats and issues found|
|Risk||Experience based||Provides systematic index of threats based on issues||4x aster process for estimating risks|