- What are the values of doing formal evaluation?
- What do you see as the drawbacks of evaluation?
If possible and applicable frame your answer around a situation relevant to your current work. If not frame your answer around a hypothetical situation or a situation which you have previously experienced in a past work environment.
Note:- If you do use a work example make sure that it is unencumbered (meaning you are free to discuss it). Be sure not to divulge any propriety or confidential information. If you are unsure do not post the example and answer the question using a hypothetical situation instead.
The Common Criteria, CC, Web site is located at: http://www.commoncriteriaportal.org/index.html
- Go to the above web site and explore for yourself its contents.
- Go to the certified products area and find hardware (or software or a bundled hardware and software product) which you are interested in or have firsthand knowledge about. For example, you might try to find the product Citrix Systems Inc. You may instead decide to lookup a Microsoft or Apple product, for example an operating system such as Windows 10 or IBM’s AIX operating system.
- In this conference state what you found regarding your chosen product. What is the level at which it passed? Who was the evaluator? List three security requirements of your products. List three assurance requirements for the product.
Feel free to assume your role is to evaluate responses to your firms hypothetical Request For Proposals (RFP), for the acquisition or purchase of hardware and/or software or that your role is that of a member of a site Audit Team which is charged with determining compliance with the Common Criteria for your firms existing Information Communication Technology, ICT, hardware and software resources. Your role can even be that of a private individual who is interested in purchasing a hardware and software configuration and desires to evaluate it prior to buying.
- Klein, G., et al. (2009). seL4: Formal Verication of an OS Kernel. SOSP ’09 Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. Pages 207-220. Retrieved from: http://www.sigops.org/sosp/sosp09/papers/klein-sosp09.pdf.
- Ladkin, P. (2009), Formal Methods in Modern Critical-Software Development. The Abnormal Distribution. Retrieved from: https://abnormaldistribution.org/index.php/2009/06/22/formal-methods-in-modern-critical-software-development/.
- Kuhn, D.R., Chandramouli, R., & Butler, R.W. (n.a.). Cost Effective Use of Formal Methods in Verification and Validation. Retrieved from: https://learn.umgc.edu/content/enforced/124018-022073-01-2162-GO1-9041/FormalTechniquesNIST.pdf?_&d2lSessionVal=aEvFgFQ7519BLdIS1aRnlQt0C&ou=124018&_&d2lSessionVal=eclvFRhcEJ5aeuHdvii8bVUvq&ou=190541.
- Sandia National Laboratories. (2014). Armstrong, R.C., et al. Survey of Existing Tools for Formal Verification. Retrieved from: http://prod.sandia.gov/techlib/access-control.cgi/2014/1420533.pdf.
- Benduhn, F. et all. (2015). A Survey on Modeling Techniques for Formal Behavioral Verification of Software Product Lines. VaMoS ’15 Proceedings of the Ninth International Workshop on Variability Modelling of Software-intensive Systems.Retrieved from: http://wwwiti.cs.uni-magdeburg.de/iti_db/publikationen/ps/auto/BenduhnTL+:VaMoS15.pdf.
- D’Silva, V. et al.(2008). A Survey of Automated Techniques for Formal Software Verification. IEEE Transactions on Computer-Aided Design of Integrated Circuit and Systems, Vol. 27, No. 7, July 2008. Retrieved from: http://people.eecs.berkeley.edu/~alanmi/publications/other/softver_tutorial.pdf.
- Ouyang, A. (n.a). Common Body of Knowledge Review: Security Architecture & Design Domain. Version: 5.10. Retrieved from: http://opensecuritytraining.info/CISSP-2-SAD_files/2-Security_Architecture+Design.pdf. (Only pages 46-61).
- Syntegra (on behalf of the Common Criteria Project Sponsoring Organisation). (n.a.). Common Criteria: An Introduction. Retrieved from:
- The CC portal: https://www.commoncriteriaportal.org/.
- Abrams, M.D. & Joyce, M.V. (n.d.). Trusted System Concepts. Retrieved from:Trusted System Concepts
- ITSEC. (1991). Information Technology Security Evaluation Criteria (ITSEC): Harmonised Criteria of France – Germany – the Netherlands – the United Kingdom. Retrieved from: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/ITSicherheitskriterien/itsec-en_pdf.pdf?__blob=publicationFile.
- Department of Defense. (1995). Trusted Computer System Evaluation Criteria. Retrieved from:http://csrc.nist.gov/publications/history/dod85.pdf.