If you’re in the software business (and who isn’t these days?), security is one of your biggest concerns. So having your software evaluated for weaknesses is essential when dealing with sensitive information. ISO and IEC have jointly released a new Technical Report, ISO/IEC TR 20004, “Information technology – Security techniques – Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045,” which is available now from Document Center Inc.
In exceptional circumstances, when a committee has collected data of a different kind than normally published as an International Standard (“state of the art”, for example), it may decide to publish a Technical Report. A Technical Report is entirely informative in nature and is reviewed once every 5 years, just like a standard.
This new ISO/IEC TR 20004:2012 provides guidance for software evaluators working to ISO/IEC 15408-1, ISO/IEC 15408-2, ISO 15408-3 and ISO/IEC 18045. It refines the AVA_VAN assurance family activities defined in ISO/IEC 18045:2008 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation (TOE).
ISO/IEC TR 20004:2012 also leverages the Common Weakness Enumeration (CWE) and the Common Attack Pattern Enumeration and Classification (CAPEC) to support the method of scoping and implementing ISO/IEC 18045:2008 vulnerability analysis activities.
The 24-page Technical Report does not define evaluator actions for certain high assurance ISO/IEC 15408 components, since there is no generally agreed guidance yet.
The target audience for this Technical Report is primarily evaluators applying ISO/IEC 15408 and certifiers confirming evaluator actions. Evaluation sponsors, developers, PP/ST authors and other parties interested in IT security are a secondary audience.
This new document recognizes that not all questions concerning IT security evaluation will be answered by the report and that further interpretations will be needed. Individual schemes will determine how to handle such interpretations and other guidance, although these can be subject to mutual recognition agreements.
All ISO, IEC and ISO/IEC standards are available from Document Center Inc. at our website, www.document-center.com. You can also contact us by phone (650-591-7600), fax (650-591-7617) or email (info@document-center.com). We have the expertise to assist you not only with your standards purchases, but also the questions that you have about the use and maintenance of your standards collections.