In very simple terms project Meili has reached mid-term with the broad answer to the question: Is it feasible to provide a rapidly reconfigurable facility to test cybersecurity? The simple answer is yes. However, when looking at cybersecurity testing standards the answer very quickly becomes more muddled. In short there are not many testing standards that give a view of vulnerabilities. What the majority of formal standards do is verify correct behaviour - so they check that protocols and algorithms actually work. They will certainly identify a failure of any of the CIA attributes, so things like a malformed certificate or the wrong signature will be picked up. However wider weaknesses such as memory leaks, propensity for privilege escalation, overload failure, and so on are not captured by the standard tests. Additional work is required to fill the standards gaps here and this is one of the findings we expect to expand on as we finalise the study.
We are also looking at pen-tests but again in the context of a standards centric approach. The focus on standards is important - users of a test facility have to be able to know what is tested and how. So the pen-test will look to running a fairly comprehensive set of fuzzed tests that aim to identify if the system has glaring weaknesses.
