{"id":24,"date":"2019-09-18T21:57:57","date_gmt":"2019-09-18T21:57:57","guid":{"rendered":"http:\/\/prosaweb.duckdns.org\/?page_id=24"},"modified":"2021-11-30T09:04:37","modified_gmt":"2021-11-30T09:04:37","slug":"our-approach","status":"publish","type":"page","link":"https:\/\/prosasecurity.com\/index.php\/our-approach\/","title":{"rendered":"Our approach"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Our approach: Protect against the widest range of attacks<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The PROSA approach is based on modeling behaviour and communication through your solution using a Domain-Specific Language (DSL) with which the logic and critical-security areas of the system under development can be represented. This semantics covers all aspects relevant to IT security in applications and layers of applications. This model can be either be integrated directly into your source code or be a separate model.<\/p>

Based on the model developed the following testing process is carried out:<\/p>

  1. The scope is identified through documentation review and interviews giving a first idea of the critical sections. This step benefits from a network representation of the underlying systems.<\/li>
  2. Modeling relies on further documentation review to obtain detailed systems behaviour, uniform documentation, and eliminate implementation errors.<\/li>
  3. Security Requirements are identified and validated. This contains the confidentiality and integrity goals of the model.<\/li>
  4. Threats include the completion of eavesdropper simulations and attack landscaping. At this stage the full, active and passive, attack spectrum is used. As a result, possible threats are documented (description of attack behaviour).<\/li>
  5. Risk Analysis contains a threats overview together with decision-making priorities. Risk documentation for each attack is generated.<\/li><\/ol>

    With regulatory requirements such as the Payment Services Directive 2 (PSD2), we can help you identify the security requirements that are relevant to your solution. By following the PROSA approach you can link the regulatory requirements to a risk analysis of potential threats, which lets you prove that your solution is secure.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t

    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Saving money and improving code quality with PROSA<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    A common rule of thumb in computer security is that every 100 lines of source code contain ONE defect, representing a potential entry point for attackers to a system. Even more worrying is that systems are getting more and more complex, possibly containing dozens or hundreds of components spread across various servers and cloud services. Attackers are also getting more and more advanced. With PROSA you can analyze complex solutions and show what happens when an attacker is able to:<\/p>

    • listen in on the communication between your systems<\/li>
    • modify data sent to or from your systems<\/li>
    • change or destroy data locally on a system<\/li>
    • have access to crypto-keys, e.g. from an attack on onboarding<\/li><\/ul>

      Designing applications following security principles allows to mitigate potential weaknesses. With the PROSA approach we can help you see the bigger picture of your security solution, and help you avoid potentially costly design errors:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

      \n\t\t\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t

      PROSA compared with traditional methods<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t\n\n\n\n\n\n\n
      <\/th>\nTraditional approach<\/th>\nPROSA approach<\/th>\nEffect from PROSA estimate<\/th>\n<\/tr>\n
      Modelling<\/strong><\/td>\n500-3000 pages of informal description, fragmented, on a component-by-component level<\/td>\n3-10A4 pages with a precise, formal system description<\/td>\n20x faster understanding of the system or new employees<\/td>\n<\/tr>\n
      Security requirements<\/strong><\/td>\nGeneral requirements, imprecise, not connected to concrete assets<\/td>\nPrecise description of assets and security goals<\/td>\n4x more requirements<\/td>\n<\/tr>\n
      Issues<\/strong><\/td>\nSemi-manual and expert-based<\/td>\nPrecise description of issues, dynamic simulations of attacks<\/td>\n10 more threats and issues found<\/td>\n<\/tr>\n
      Risk<\/strong><\/td>\nExperience-based<\/td>\nProvides a systematic index of threats based on issues<\/td>\n4x aster process for estimating risks<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      An asset can be a defined security asset, such as a payload, key identity or password.<\/p>\n

      An issue is a potential for misuse of a system, a partial compromise, an attack, etc<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

      Our approach: Protect against the widest range of attacks The PROSA approach is based on modeling behaviour and communication through your solution using a Domain-Specific Language (DSL) with which the logic and critical-security areas of the system under development can be represented. This semantics covers all aspects relevant to IT security in applications and layers […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-24","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/pages\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":19,"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/pages\/24\/revisions"}],"predecessor-version":[{"id":469,"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/pages\/24\/revisions\/469"}],"wp:attachment":[{"href":"https:\/\/prosasecurity.com\/index.php\/wp-json\/wp\/v2\/media?parent=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}