238 lines
4.5 KiB
HTML
238 lines
4.5 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Security Requirements</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Secure Programming for Linux and Unix HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Specialized Security Extensions for Unix-like Systems"
|
|
HREF="unix-extensions.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Common Criteria Introduction"
|
|
HREF="x595.html"></HEAD
|
|
><BODY
|
|
CLASS="CHAPTER"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Secure Programming for Linux and Unix HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="unix-extensions.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x595.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="CHAPTER"
|
|
><H1
|
|
><A
|
|
NAME="REQUIREMENTS"
|
|
></A
|
|
>Chapter 4. Security Requirements</H1
|
|
><TABLE
|
|
BORDER="0"
|
|
WIDTH="100%"
|
|
CELLSPACING="0"
|
|
CELLPADDING="0"
|
|
CLASS="EPIGRAPH"
|
|
><TR
|
|
><TD
|
|
WIDTH="45%"
|
|
> </TD
|
|
><TD
|
|
WIDTH="45%"
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><I
|
|
><P
|
|
><I
|
|
>You will know that your tent is secure;
|
|
you will take stock of your property and find nothing missing.</I
|
|
></P
|
|
></I
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="45%"
|
|
> </TD
|
|
><TD
|
|
WIDTH="45%"
|
|
ALIGN="RIGHT"
|
|
VALIGN="TOP"
|
|
><I
|
|
><SPAN
|
|
CLASS="ATTRIBUTION"
|
|
>Job 5:24 (NIV)</SPAN
|
|
></I
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="TOC"
|
|
><DL
|
|
><DT
|
|
><B
|
|
>Table of Contents</B
|
|
></DT
|
|
><DT
|
|
>4.1. <A
|
|
HREF="x595.html"
|
|
>Common Criteria Introduction</A
|
|
></DT
|
|
><DT
|
|
>4.2. <A
|
|
HREF="x608.html"
|
|
>Security Environment and Objectives</A
|
|
></DT
|
|
><DT
|
|
>4.3. <A
|
|
HREF="x615.html"
|
|
>Security Functionality Requirements</A
|
|
></DT
|
|
><DT
|
|
>4.4. <A
|
|
HREF="x641.html"
|
|
>Security Assurance Measure Requirements</A
|
|
></DT
|
|
></DL
|
|
></DIV
|
|
><P
|
|
>Before you can determine if a program is secure, you need to determine
|
|
exactly what its security requirements are.
|
|
Thankfully, there's an international standard for identifying and defining
|
|
security requirements that is useful for many such circumstances:
|
|
the Common Criteria [CC 1999], standardized as ISO/IEC 15408:1999.
|
|
The CC is the culmination of decades of work to identify
|
|
information technology security requirements.
|
|
There are other schemes for defining security requirements and evaluating
|
|
products to see if products meet the requirements,
|
|
such as NIST FIPS-140 for cryptographic equipment,
|
|
but these other schemes are generally focused on a
|
|
specialized area and won't be considered further here.</P
|
|
><P
|
|
>This chapter briefly describes the Common Criteria (CC) and how to use its
|
|
concepts to help you informally identify security requirements and
|
|
talk with others about security requirements using standard terminology.
|
|
The language of the CC is more precise, but it's also more formal and
|
|
harder to understand; hopefully the text in this section will help you
|
|
"get the jist".</P
|
|
><P
|
|
>Note that, in some circumstances, software cannot be used unless it
|
|
has undergone a CC evaluation by an accredited laboratory.
|
|
This includes certain kinds of uses in the U.S. Department of Defense
|
|
(as specified by NSTISSP Number 11, which requires that before some
|
|
products can be used they must be evaluated or enter evaluation),
|
|
and in the future such a requirement may
|
|
also include some kinds of uses for software in the U.S. federal government.
|
|
This section doesn't provide enough information
|
|
if you plan to actually go through a CC evaluation by an
|
|
accredited laboratory.
|
|
If you plan to go through a formal evaluation,
|
|
you need to read the real CC, examine various websites to really understand
|
|
the basics of the CC, and
|
|
eventually contract a lab accredited to do a CC evaluation.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="unix-extensions.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x595.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Specialized Security Extensions for Unix-like Systems</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Common Criteria Introduction</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |