Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Crown Copyright (2000) Module 2.4 Development Environment.

Similar presentations

Presentation on theme: "© Crown Copyright (2000) Module 2.4 Development Environment."— Presentation transcript:

1 © Crown Copyright (2000) Module 2.4 Development Environment

2 You Are Here M2.1 Security Requirements M2.2 Development Representations M2.3 Functional Testing M2.4 Development Environment M2.5 Operational Environment M2.6 Vulnerability Analysis M2.7 Penetration Testing M2.8 Assurance Maintenance/Composition MODULE 2 - ASSURANCE

3 What is the DEA? Scope –TOE development, production and maintenance Contributes to Assurance by –providing confidence in TOE integrity Involves –examination of procedures and standards –site visits

4 Aspects Covered Configuration Management Development Environment Security Development Tools

5 Configuration Management Configuration System –prevention of unauthorised changes –acceptance procedures Configuration Items Automation

6 Development Environment Security Security Measures –Physical –Procedural –Personnel –Logical Integrity of TOE Confidentiality of Design

7 Development Tools Programming Languages –must be well defined –meaning of all statements unambiguous Selected implementation-dependent options documented –languages –compilers

8 Site Visits Objective - find out what actually happens Confirm documented procedures and measures followed Examine documentary evidence

9 ITSEC Requirements AspectE1E2E3E4E5E6 Version controlTOECL DEA visit Acceptance procedures 4444 Automated Tool Support 444 Rebuild TOE 444 Dependencies between CIs 44 Developers Security 4444 Languages & Compilers 4444

10 CC Requirements AspectEAL1EAL2EAL3EAL4EAL5EAL6EAL7 Version controlTOECL DEA visit Acceptance procedures 4444 Automated Tool Support 4444 Dependencies of CIs 44 Development Security Life-cycle model DEVSTD MES Tools & Techniques 4444

11 Lifecycle Model - 1 Life-cycle model must ensure adequate control over TOE development and maintenance Covers procedures, tools and techniques Intent is to minimise risk of introduction of security flaws

12 Lifecycle Model - 2 Examples Waterfall Model V Model Rapid Application Development (RAD)

13 Flaw Remediation Identify Flaws Documentation Resolution Assurance Maintenance

14 Evaluation Reporting Examination of documentation –show how & where requirements satisfied Site visits –development staff interviewed –evidence inspected –coverage of aspects

15 Summary Confidence in the TOE integrity Site visits –preparation the key –records Where does it fit ?

16 Further Reading ITSEC evaluation UK SP 05 Part III, Chapter 8 CC evaluation CC Part 1, Section CC Part 3, Sections 2.6.1, 2.6.5, 8 and 12 CEM Part 2, Chapters 5-8 (ACM/ALC sections)

Download ppt "© Crown Copyright (2000) Module 2.4 Development Environment."

Similar presentations

Ads by Google