Enhancing Security Testing via Automated Replication of IT-Asset Topologies

Security testing of IT-infrastructure in a production environment can have a negative impact on business processes supported by IT-assets. A test bed can be used to provide an alternate testing environment in order to mitigate this impact. Unfortunately, for small and medium enterprises, maintaining a physical test bed and its consistency with the production environment is a cost-intensive task. In this paper, we present the Infrastructure Replication Process (IRP) and a corresponding Topology Editor, to provide a cost-efficient method that makes security testing in small and medium enterprises more feasible. We utilize a virtual environment as a test bed and provide a structured approach that takes into account the differences between a physical and a virtual environment. Open standards, such as SCAP, OVAL or XCCDF, and the utilization the Interconnected-asset Ontology-IO-support the integration of the IRP into existing (automated) processes. We use the implementation of a prototype to present a proof-of-concept that shows how typical challenges regarding security testing can be successfully mitigated via the IRP.