|
Secure Programming
Writing Secure code Dec 27 2002 12:46PM Rahul Chander Kashyap (rahul nsecure net) (6 replies) Re: Writing Secure code Dec 27 2002 06:03PM Valdis Kletnieks vt edu (2 replies) RE: Writing Secure code Dec 27 2002 08:51PM Roger Alexander (rta cs colostate edu) (1 replies) RE: Writing Secure code Dec 30 2002 12:41PM Matt McClellan (mmcclellan nfr com) (2 replies) Re: Writing Secure code[update] Dec 31 2002 10:20AM Rahul Chander Kashyap (rahul nsecure net) (2 replies) Re: Writing Secure code Dec 27 2002 05:43PM John Viega (viega list org) (2 replies) |
|
|
Privacy Statement |
> This is pretty good, and needs not much introduction
> The Common Criteria for Information Technology Security Evaluation:
> Download at: http://csrc.nist.gov/cc/ccv20/ccv2list.htm
CC is not a development methodology, nor is it a way to reduce code errors,
nor does it provide concrete ways to help focus development towards a goal
(although it can accurately describe those goals and measure compliance
with them). It's simply a way to say that you can state some things about a
system with some level of certaintly. What those claims are and/or what
assurances they provide are a completely different story. CC provides a
valuable service: helping to determine how we can effectively quantify
statements and requirements about security goals, but it does NOT provide
us with either development methodology or any guidelines about what
"secure" means. Rather, it requires the consumer to define for themselves
what "secure" _should_ mean.
CC evaluation isn't worthless, but it rarely provides what people think it
provides, and I'm not sure it's an answer to the poster's question.
--
Alex Russell
alex (at) netWindows (dot) org [email concealed]
alex (at) SecurePipe (dot) com [email concealed]
[ reply ]