From 9aaf3b18319465b7d5eb7de10773c329f0eebace Mon Sep 17 00:00:00 2001 From: Felix Braeunling Date: Thu, 18 Sep 2025 11:03:11 +0200 Subject: [PATCH] docs: adjust learning to goals to proper format --- docs/01-introduction/02-learning-goals.adoc | 8 ++++---- docs/02-analysis/02-learning-goals.adoc | 10 +++++----- docs/03-verification/02-learning-goals.adoc | 8 ++++---- docs/04-cryptography/02-learning-goals.adoc | 14 +++++++------- docs/embsec/05-attacks/02-learning-goals.adoc | 10 +++++----- .../06-considerations/02-learning-goals.adoc | 12 ++++++------ docs/embsec/07-patterns/02-learning-goals.adoc | 8 ++++---- 7 files changed, 35 insertions(+), 35 deletions(-) diff --git a/docs/01-introduction/02-learning-goals.adoc b/docs/01-introduction/02-learning-goals.adoc index 387ef5d..25104ab 100644 --- a/docs/01-introduction/02-learning-goals.adoc +++ b/docs/01-introduction/02-learning-goals.adoc @@ -8,7 +8,7 @@ // tag::EN[] [[LG-1-1]] -==== LG 1-1: Definition of Security +==== LG 1-1: Know what security means in the context of an architecture. Participants know a definition of security and understand it as a quality of the system. Participants understand the relationship and trade-offs to other quality attributes. @@ -18,14 +18,14 @@ Definitions can be found for example in ISO/IEC 25010, ISO/SAE 21434 and IEC 624 endif::[] [[LG-1-2]] -==== LG 1-2: Security Properties +==== LG 1-2: Know the security triad Participants know the security properties of the universal triad: confidentiality, integrity and availability. In addition they know additional common properties such as authentication, authorization and non-repudiation. [[LG-1-3]] -==== LG 1-3: Security Lifecycles +==== LG 1-3: Understand that security needs to be considered throughout a product's lifecycle Participants understand, that security must be considered in the whole product lifecycle and not just for the development phase. Participants understand that maintaining security requires participation and consideration of all stakeholders. @@ -38,7 +38,7 @@ Lifecycle and NIST's Secure Software Development Framework. endif::[] [[LG-1-4]] -==== LG 1-4: Security Regulations and standards +==== LG 1-4: Know relevant regulations, standards and guidelines. Participants understand the difference between regulations, standards and guidelines. Participants know examples of regulations, standards and guidelines regarding security. diff --git a/docs/02-analysis/02-learning-goals.adoc b/docs/02-analysis/02-learning-goals.adoc index 90b1192..46c6835 100644 --- a/docs/02-analysis/02-learning-goals.adoc +++ b/docs/02-analysis/02-learning-goals.adoc @@ -19,7 +19,7 @@ tbd. // tag::EN[] [[LG-2-1]] -==== LG 2-1: System definition and context +==== LG 2-1: Create a system definition and context Participants understand the security purpose of the system context. Participants are able to create a system context view, building on their Foundation Level knowledge. The system context provides necessary information for the security analysis of the system: @@ -29,7 +29,7 @@ The system context provides necessary information for the security analysis of t * Assets associated with the system [[LG-2-2]] -==== LG 2-2: Asset and damage identification +==== LG 2-2: Identify assets and damage scenarios Participants understand what assets are and know typical examples. Participants are able to identify assets for a given system. @@ -42,7 +42,7 @@ channels. endif::[] [[LG-2-3]] -==== LG 2-3: Threat Modeling +==== LG 2-3: Perform threat modeling Participants know approaches to threat modeling (attacker-, asset-, system-centric) and understand their advantages and disadvantages. @@ -52,7 +52,7 @@ Participants understand that threat modeling is an interdisciplinary tasks, that inputs. [[LG-2-4]] -==== LG 2-4: Threat scenario analysis +==== LG 2-4: Analyse identified threats Participants know approaches to identifying threats (e.g., Misuse Case Diagram, Data Flow Diagram, STRIDE). @@ -62,7 +62,7 @@ Analysis, Kill-Chains). Participants are able to identify and analyze threats for a given system. [[LG-2-5]] -==== LG 2-4: Risk Assessment Methods +==== LG 2-4: Assess and rate identified risks Participants understand the goal of assessing the risk of threats and the associated damage scenarios. Participants know approaches to classifying and rate attack risks. diff --git a/docs/03-verification/02-learning-goals.adoc b/docs/03-verification/02-learning-goals.adoc index 759a8f2..965c434 100644 --- a/docs/03-verification/02-learning-goals.adoc +++ b/docs/03-verification/02-learning-goals.adoc @@ -20,7 +20,7 @@ tbd. // tag::EN[] [[LG-3-1]] -==== LG 3-1: Verification Goals +==== LG 3-1: Understand the goals of verification Participants understand the goals of security verification. Participants know classifications of security Verification methods: @@ -31,7 +31,7 @@ Participants know classifications of security Verification methods: Participants understand the advantages and disadvantages of static and dynamic methods. [[LG-3-2]] -==== LG 3-2: Static Analysis +==== LG 3-2: Know static analysis techniques Participants know static analysis techniques such as * Software Composition Analysis @@ -40,7 +40,7 @@ Participants know static analysis techniques such as * Taint Analysis. [[LG-3-3]] -==== LG 3-3: Dynamic Testing +==== LG 3-3: Know dynamic testing techniques Participants know dynamic testing techniques such as * Fuzzy Testing @@ -50,7 +50,7 @@ Participants know dynamic testing techniques such as * Robustness Testing [[LG-3-4]] -==== LG 3-4: Penetration Testing +==== LG 3-4: Know what penetration testing is Participants understand the goal of penetration testing. Participants understand the relationship of penetration testing to other verification methods. Participants know the steps of a penetration test: diff --git a/docs/04-cryptography/02-learning-goals.adoc b/docs/04-cryptography/02-learning-goals.adoc index 9dce3ec..20c6753 100644 --- a/docs/04-cryptography/02-learning-goals.adoc +++ b/docs/04-cryptography/02-learning-goals.adoc @@ -20,20 +20,20 @@ tbd. // tag::EN[] [[LG-4-1]] -==== LG 4-1: Goals of Cryptography +==== LG 4-1: Know the goals of cryptography -Participants know the goals of cryptography (Authenticity, Confidentiality and Integrity). +Participants know the goals of cryptography (Protection of authenticity, confidentiality and integrity). Participants know how a basic cryptographic function works. [[LG-4-2]] -==== LG 4-2: Symmetric Cryptography +==== LG 4-2: Understand symmetric cryptography and know its usecases Participants understand what symmetric cryptography is. Participants know use cases, advantages and disadvantages of symmetric cryptography. Participants know examples of recommended symmetric algorithms (e.g. from NIST or BSI). [[LG-4-3]] -==== LG 4-3: Asymmetric Cryptography +==== LG 4-3: Understand asymmetric Cryptography and know its usecases Participants understand what asymmetric cryptography is. Participants know use cases, advantages and disadvantages of asymmetric cryptography. @@ -41,7 +41,7 @@ Participants know examples of recommended asymmetric algorithms (e.g. from NIST of the need to future-proof applications for post-quantum attacks. [[LG-4-4]] -==== LG 4-4: Secure Hashing +==== LG 4-4: Understand secure hashing and know its usecases Participants understand what a hash function does. Participants understand quality goals of hash functions (preimage resistance, second-preimage @@ -50,7 +50,7 @@ Participants know use cases of hashing. Participants know examples of recommended hashing algorithms (e.g. from NIST or BSI). [[LG-4-5]] -==== LG 4-5: Key Derivation Functions +==== LG 4-5: Understand key derivation functions and know their use cases Participants understand the use of key derivation functions. Participants understand the difference in qualities compared to hashing functions. @@ -58,7 +58,7 @@ Participants know examples of recommended key derivation functions and their use BSI) [[LG-4-6]] -==== LG 4-6: Randomness and Entropy +==== LG 4-6: Understand the need for randomness and entropy, and know typical sources Participants understand why cryptographically-secure random values are an important cornerstone of cryptography. diff --git a/docs/embsec/05-attacks/02-learning-goals.adoc b/docs/embsec/05-attacks/02-learning-goals.adoc index 002a2dd..c8eb040 100644 --- a/docs/embsec/05-attacks/02-learning-goals.adoc +++ b/docs/embsec/05-attacks/02-learning-goals.adoc @@ -20,27 +20,27 @@ tbd. // tag::EN[] [[LG-5-1]] -==== LG 5-1: Attacker Motivations and Knowledge +==== LG 5-1: Know attacker motivations and knowledge Participants know the levels of capabilities (script kiddy, programmer, security expert, state actor/competitor, etc.) and motivations (fun, research, monetary gain) attackers exhibit. They should understand the issues with attacker-based risk approaches. [[LG-5-2]] -==== LG 5-2: Attack Terminology +==== LG 5-2: Understand attack terminology Participants understand the difference between weaknesses and vulnerabilities. They understand the concept of an attack surface and how it relates to weaknesses and vulnerabilities. [[LG-5-3]] -==== LG 5-3: Security Information Sources +==== LG 5-3: Know sources for security information Participants know sources from which information about attacks, vulnerabilities and weaknesses can be gathered (e.g., CVE and CWE database, OWASP, SANS Institute, CISA, BSI, or UN R 155 for automotive). [[LG-5-4]] -==== LG 5-4: Common Attack Patterns +==== LG 5-4: Know common attack patterns Participants understand typical weaknesses, attack patterns and their effects. Examples for these are overflows, injections, privilege escalations, denial of service, @@ -49,7 +49,7 @@ Further examples can be found in the OWASP (IoT) Top 10 and aforementioned secur sources. [[LG-5-5]] -==== LG 5-5: Hardware Attack Surfaces +==== LG 5-5: Know hardware attack surfaces Participants understand that attacks on embedded systems are not limited to software-based attacks, but can also be conducted via the system's hardware. diff --git a/docs/embsec/06-considerations/02-learning-goals.adoc b/docs/embsec/06-considerations/02-learning-goals.adoc index 712e453..5842e4b 100644 --- a/docs/embsec/06-considerations/02-learning-goals.adoc +++ b/docs/embsec/06-considerations/02-learning-goals.adoc @@ -20,7 +20,7 @@ tbd. // tag::EN[] [[LG-6-1]] -==== LG 6-1: Security as a Quality in Embedded Systems +==== LG 6-1: Understand security as a quality in embedded systems Participants understand security as a system quality and its relation to other quality requirements. Participants understand security as a quality in the context of ISO 25010 and the relation of these @@ -33,13 +33,13 @@ uncircumventable risk, therefore it should be considered that the compromise of not compromise all products (e.g., when the same symmetric key is used in all devices). [[LG-6-2]] -==== LG 6-2: Safety and Security +==== LG 6-2: Understand the relationship of safety and security Participants understand that embedded systems can influence the physical world and pose additional safety risks that need to be addressed. [[LG-6-3]] -==== LG 6-3: Guiding Principles +==== LG 6-3: Understand the guiding principles of security Participants understand that good software engineering practices help designing a more secure system. @@ -56,7 +56,7 @@ reflected in embedded systems, examples include: * Input and Output Validation [[LG-6-4]] -==== LG 6-4: Resource Restrictions +==== LG 6-4: Understand the effect of resource restrictions on security Participants understand that resource constraints limit the solution space for embedded systems. Examples of such limitations are: @@ -73,7 +73,7 @@ these keys are compromised. Enforcement of roll-back protections through hardwar limited by the amount of available fuses. [[LG-6-5]] -==== LG 6-5: Software Updates +==== LG 6-5: Understand the role of software updates Participants understand the need for software updates and the challenges deploying updates to embedded devices pose. @@ -83,7 +83,7 @@ Participants know possible solutions to securely deploy updates to embedded devi and encrypted firmware packages, secure version numbers) [[LG-6-6]] -==== LG 6-6: Secure Implementation +==== LG 6-6: Know secure implementation techniques Participants understand how a well engineered implementation supports the security goals. Participants know standards and guidelines to reduce the likelihood of introducing defects during diff --git a/docs/embsec/07-patterns/02-learning-goals.adoc b/docs/embsec/07-patterns/02-learning-goals.adoc index 1b232a7..f54458d 100644 --- a/docs/embsec/07-patterns/02-learning-goals.adoc +++ b/docs/embsec/07-patterns/02-learning-goals.adoc @@ -20,7 +20,7 @@ tbd. // tag::EN[] [[LG-7-1]] -==== LG 7-1: Authentication and Authorization +==== LG 7-1: Know solutions to ensure authentication and authorization Participants know methods, patterns and technologies to ensure authentication of entities and manage authorization for actions taken on the system. @@ -45,7 +45,7 @@ Participants understand that user interaction with the device might be limited, authentication mechanisms. [[LG-7-2]] -==== LG 7-2: System Integrity +==== LG 7-2: Know solutions to ensure system integrity Participants know methods, patterns and technologies to ensure the system's integrity and protect the system against tampering. @@ -68,7 +68,7 @@ Examples to ensure integrity of operations are * control flow checking (e.g., software based encoding or hardware watchdogs), [[LG-7-3]] -==== LG 7-3: Communication +==== LG 7-3: Know solutions to secure communication Participants understand the necessity of ensuring confidentiality, integrity and availability of communication. @@ -86,7 +86,7 @@ security mechanisms for protecting communication over such buses might have lowe guarantees compared to TLS or other typical communication protection. [[LG-7-4]] -==== LG 7-4: Hardware Security +==== LG 7-4: Know hardware security techniques and technologies Participants understand what role the underlying hardware plays in achieving security goals. Participants know how isolation concept can be realized with hardware support, what a Hardware