On Wednesday 01 January 2003 06:21, K K Mookhey wrote: > This is pretty good, and needs not much introduction > The Common Criteria for Information Technology Security Evaluation: > Download at: http://csrc.nist.gov/cc/ccv20/ccv2list.htm CC is not a development methodology, nor is it a way to reduce code errors, nor does it provide concrete ways to help focus development towards a goal (although it can accurately describe those goals and measure compliance with them). It's simply a way to say that you can state some things about a system with some level of certaintly. What those claims are and/or what assurances they provide are a completely different story. CC provides a valuable service: helping to determine how we can effectively quantify statements and requirements about security goals, but it does NOT provide us with either development methodology or any guidelines about what "secure" means. Rather, it requires the consumer to define for themselves what "secure" _should_ mean. CC evaluation isn't worthless, but it rarely provides what people think it provides, and I'm not sure it's an answer to the poster's question. -- Alex Russell alexat_private alexat_private
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:43:14 PST