The ETSI TVRA security-measurement methodology by means of TTCN-3 Notation

ETSI has provided a practical Evaluation Methodology, called the TVRA Methodology, with respect to three kinds of system: Threats, Vulnerabilities and Risks (TVR) of a system to be analyzed (thus being identified) by executing seven (basic version 2009) respectively 10 steps (advanced version 2010) according to recent ETSI TS 102 165-1 V4.2.x (2010) TISPAN specification. ETSI's Evaluation Philosophy behind the TVR-Analysis Methodology is that any security-sensitive system or module must be evaluated and tested against the security perimeter by which a module fortifies her assets. An example of fortification is the so-called Cryptographic Module according the specification of the NIST standard FIPS PUB 140-2. By this contribution we demonstrate ETSI's TVRA security evaluation approach by applying model-based testing techniques and, where appropriate - implementations by applying TTCN-3 notation to systems being subject of vulnerabilities and threats in a hostile environment.