ISO IEC TR 20004 pdf download.Information technology一Security techniques – Refining software vulnerability analysis under ISO/IEC 1 5408 and ISO/IEC 18045
This Technical Report refines the AVA _VAN assurance family activities defined in ISO/IEC 18045 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation. This Technical Report leverages publicly available information security resources to support the method of scoping and implementing ISO/IEC 18045 vulnerability analysis activities. The Technical Report currently uses the common weakness enumeration (CWE) and the common attack pattern enumeration and classification (CAPEC], but does not preclude the use of any other appropriate resources. Furthermore, this Technical Report is not meant to address all possible vulnerability analysis methods, including those that fall outside the scope of the activities outlined in ISO/IEC 18045. This Technical Report does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply. 2.1 assurance case structured set of claims, arguments and a corresponding body of evidence to demonstrate that a system satisfies specific claims with respect to its security properties 2.2 attack pattern abstracted approach utilized to attack software 2.3 attack potential measure of the effort to be expended in attacking a TOE, expressed in terms of an attacker’s expertise, resources and motivation 2.6 determine affirm a particular conclusion based on independent analysis with the objective of reaching a particular conclusion Note 1 to entry: The usage of this term implies a truly independent analysis, usually in the absence of any previous analysis having been performed. Compare with the terms“confirm”or “verify” which imply that an analysis has already been performed which needs to be reviewed. [SOURCE: ISO/IEC 15408-1:2009, 3.1.22] 2.7 encountered potential vulnerabilities potential weakness in the TOE identified by the evaluator while performing evaluation activities that could be used to violate the SFRs [SOURCE: ISO/IEC 15408-1:2009, 3.5.2] 2.8 evaluation assessment ofa PP, an ST or a TOE, against defined criteria [SOURCE: ISO/IEC 15408-1:2009, 3.1.26] 2.9 exploitable vulnerability weakness in the TOE that can be used to violate the SFRs in the operational environment for the TOE [SOURCE: ISO/IEC 15408-1:2009, 3.5.3] 2.10 potential vulnerability suspected, but not confirmed, weakness Note 1 to entry: Suspicion is by virtue of a postulated attack path to violate the SFRs. [SOURCE: ISO/IEC 15408-1:2009, 3.5.5] 2.11 Protection Profile implementation-independent statement of security needs for a TOE type [SOURCE: ISO/IEC 15408-1:2009, 3.1.52] 2.12， residual vulnerability weakness that cannot be exploited in the operational environment for the TOE, but that could be used to violate the SFRs by an attacker with greater attack potential than is anticipated in the operational environment for the TOE [SOURCE: ISO/IEC 15408-1:2009, 3.5.6] 2.13 Security Target implementation-dependent statement of security needs for a specific identified TOE [SOURCE: ISO/IEC 15408-1:2009, 3.1.63] 2.14 selection specification of one or more items from a list [SOURCE: ISO/IEC 15408-1:2009, 3.1.64] 2.15 target of evaluation set of software, firmware and/or hardware possibly accompanied by guidance [SOURCE: ISO/IEC 15408-1:2009, 3.1.70] 2.16 threat agent entity that can adversely act on assets [SOURCE: ISO/IEC 15408-1:2009, 3.1.71] 2.17 TOE evaluation assessment of a TOE against defined criteria [SOURCE: ISO/IEC 15408-1:2009, 3.1.72] 2.18 TOE-relevant CVE vulnerabilities CVE vulnerabilities from all versions of the TOE product family or CVE vulnerabilities associated with products of the same technology type 2.19 verify rigorously review in detail with an independent determination of sufficiency Note 1 to entry: Also see confirm [2.4). The term verify has more rigorous connotations. It is used in the context of evaluator actions where an independent effort is required of the evaluator. [SOURCE: ISO/IEC 15408-1:2009, 3.1.84]