Paul D. Robertson said:
> Then for ITSEC the evaluation's functionality testing is based on the
> manufacturer's requirements and penetration testing is based on the
> team's
> skillset?
Yes - Functionality testing is based on the Security Enforcing Functions defined by
the manufacturer, as well as (I should have mentioned this before) the "ease of use"
of those functions.
Penetration testing is indeed based on the evaluation team's skillset. I'm not sure
how these skillsets are maintained, and whether the actual certification body (NSA,
CESG, etc.) tests the evaluation teams or not. The manufacturer doesn't even get to
watch the penetration testing, so I'll never be able to tell you how good or bad they
are.
> I'm just trying to figure out if there's more wiggle room in the
> ITSEC/CC process for things that should need assurance to be
> missed because they were omitted from the scope of
> the evaluation. (This especially worries me in regard to the fact that
> the NT4 eval. seems to be a RAMP of the NT3.51 eval.)
Well, since the manufacturer decides what bits are going to be assured, the customer
definitely has to know what the declared Security Enforcing Functions are. This is why
people use things like F-B1, which is a functionality class giving you a set of SEFs.
A plain certification without functionality classes declared can still be good, but
you have to find out what exactly they had certified.
(This is why it really annoys me when I go to a company's stand at a security
exhibition to ask questions and get the response "What do you mean which functions are
assured? The whole product is assured!")
> Are any of the code review guidelines available? Having read most of
I have to admit I've only browsed a few of the rainbow books. As far as code review
guidelines, I don't know of any offhand, I'm afraid. I
> process. You need to understand the evaluation process and the results
> before you can attach any significance to it. That's why most of us
> yawn
> at C2 certifications yet some people consider it a major milestone.
> From
> my point of view MAC and compartments are where it gets intesting - the
> problem to be conquered there is to provide an easy-to-use
> administrative
I agree with you on both counts there - certifications at a level like Microsoft's can
be extremely misleading to people who don't understand what all the letters and
numbers actually mean. (And MAC with compartments/domain separation makes things much
more entertaining!)
> In fact, I question the validity of even having a non-network
> evaluation
> these days.
That's because you aren't in marketing!
Mike
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
