AIT, ATOS, FOKUS, GUF, KGH, LISPA, OTE, TUG
Software testing is an integral part of the software development lifecycle. For systems handling potentially sensitive information, not only the functionality but also the security and privacy of the system need to be properly tested and validated. The purpose of this deliverable is to document the efforts and report on the results of the testing efforts done within credential, with a main focus on security- and privacy-related aspects.
Besides reporting on unit and integration testing, as well as recommendations to achieve resilience on a deployment level, the document therefore has two main focuses:
*In the early phases of the project, a total of about 160 security- and privacy-related requirements were defined. In this document we give a detailed evaluation whether these requirements have been achieved, and which mitigation strategies could be taken in case a requirement has not (yet) been achieved. In total (ignoring priorities), about 90% of the security and about 63% of the privacy-related requirements have been fully or partially achieved, while less than 10% of the requirements were not achieved, with the rest being out of scope of the credential project (e.g., as they are referring to requirements on the cloud service provider).
*A second main focus of this document is the reporting on a final gray-box penetration test that has been performed after professional pen testers from the project partners have already been involved and contacted also throughout earlier phases of the development process. While some of the findings reported in this deliverable have immediate and potentially high impact on the security of the overall system, most of the findings are easy to address and are often artefacts from the development process (e.g., very detailed error logs have been generated in order to ease further development and allow for more efficient bugfixing). At the time of writing this report, no critical issues that do not allow for effective and easy-to-realize mitigation strategies have been found, and most of the identified issues are currently being addressed by the developers.
In summary, the performed tests and evaluations show that most security- and privacy-related goals of credential have been achieved during the implementation phase. The mitigation strategies necessary for turning the developed demonstrators into product-grade software will be respected in the consortium’s business and exploitation plans.