Критерии и показатели оценки качества тестирования на проникновение

Abstract

Relevance. Security issues of information systems in critical infrastructure objects become important now. However, current tasks of information security audit of critical infrastructure objects are mainly limited to checking them for compliance with requirements of standards and documents. With this approach to the audit, security of these objects from real attacks by hackers remains unclear. Therefore, objects are subjected to a testing procedure, namely, penetration testing, in order to objectively verify their security. An analysis of publications in this area shows that there is not mathematical approaches to selection of tests, as well as parameters and criteria for evaluating the effectiveness of penetration testing. The goals of the paper is to form specific parameters of completeness, efficiency, reliability and cost of testing, as well as, in a generalized form, a group of criteria “efficiency/cost”, allowing to estimate the quality of test sets, as well as to compare different penetration testing scenarios with each other. Research methods. Methods of probability theory and mathematical statistics, methods of processing experimental data, as well as the results of other studies in the field of software security testing are used in the paper to achieve the research goals. Results. The general form of the “efficiency/cost” criteria for estimating the quality of penetration testing, as well as formal particular parameters for evaluating separate parameters in the proposed criteria – the parameters of completeness, efficiency, reliability and cost are presented in the paper. The results of the paper can be used by auditors and testers to objectively justify test sets and compare different penetration testing scenarios with each other. The material of the paper can be useful for specialists who make research is such an area as penetration testing. Keywords: penetration testing, information technology impact, testing quality criterion, testing quality, testing completeness, testing efficiency, testing reliability, testing cost.