Verification Methodology
Purpose
This page defines how security controls are actively tested and verified through practical scenarios.
The objective is to:
- validate control effectiveness
- observe system behavior under stress or misuse
- identify gaps between expected and actual outcomes
Core Principle
If a risk cannot be simulated, it cannot be properly validated.
Approach
Verification scenarios are:
- risk-driven (linked to R-001 to R-003)
- control-focused (validate specific controls)
- practical (simple, executable in the lab)
Scenario Design Logic
Each scenario answers:
“What happens if this risk actually occurs?”
Scenarios must:
- simulate a realistic event
- trigger observable signals
- allow comparison between expected and actual behavior
Scenario Scope (Current Lab)
Scenarios focus on:
1. Administrative Access Abuse (R-003)
- failed SSH logins
- brute-force simulation
- unauthorized access attempts
2. Exposure & Reverse Proxy Misuse (R-001)
- HTTP probing
- access to unexpected endpoints
- malformed requests
3. Application Misuse (R-002)
- failed login attempts (Dolibarr)
- abnormal requests
- basic input manipulation
Scenario Structure
Each scenario is documented using:
| Field | Description |
|---|---|
| Scenario ID | V-XXX |
| Related Risk | R-XXX |
| Target Control(s) | C-XXX |
| Description | What is tested |
| Execution Method | How to perform the test |
| Expected Outcome | What should happen |
| Observed Outcome | What actually happens |
| Detection Result | Detected / Not detected |
| Conclusion | Effective / Partial / Ineffective |
| Notes | Observations |
Execution Model
At the current stage:
- scenarios are manual
- execution is controlled
- frequency is low but targeted
Success Criteria
A scenario is considered successful if:
- the control behaves as expected
- signals are observable
- detection (if applicable) is triggered
Known Limitations
- limited number of scenarios
- no automation
- partial detection capability
Evolution
Next steps:
- expand scenarios progressively
- improve repeatability
- align scenarios with monitoring signals