Re: Writing Secure code[update]

From: Alex Russell (alexat_private)
Date: Thu Jan 02 2003 - 15:55:19 PST

  • Next message: K K Mookhey: "Re: Writing Secure code[update]"

    On Wednesday 01 January 2003 06:21, K K Mookhey wrote:
    > This is pretty good, and needs not much introduction
    > The Common Criteria for Information Technology Security Evaluation:
    > Download at: http://csrc.nist.gov/cc/ccv20/ccv2list.htm
    
    CC is not a development methodology, nor is it a way to reduce code errors, 
    nor does it provide concrete ways to help focus development towards a goal 
    (although it can accurately describe those goals and measure compliance 
    with them). It's simply a way to say that you can state some things about a 
    system with some level of certaintly. What those claims are and/or what 
    assurances they provide are a completely different story. CC provides a 
    valuable service: helping to determine how we can effectively quantify 
    statements and requirements about security goals, but it does NOT provide 
    us with either development methodology or any guidelines about what 
    "secure" means. Rather, it requires the consumer to define for themselves 
    what "secure" _should_ mean.
    
    CC evaluation isn't worthless, but it rarely provides what people think it 
    provides, and I'm not sure it's an answer to the poster's question.
    
    -- 
    Alex Russell
    alexat_private
    alexat_private
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:43:14 PST