Jose Emilio Rico: Single Site Security Target. How to.

SingleSingle SiteSite SecuritySecurity TargetTarget

How to

Jose Emilio Rico

Epoche & Espri

[email protected]

� Site certification

� Current methodology and well known SARs’

(ALC) issues in CC.

� The manufacturing model

Agenda

� The manufacturing model

� The Site Certification process

� Single SST template

� Conclusions

September 2013 14 ICCC Orlando 2

� Purpose

o Reusability of results, leads to a significant

reduction of time and money efforts.

o Marketing� Developer image

Site Certification

•8/9/2013 33September 2013 14 ICCC Orlando

o Amanufacturing process certification

o From EAL3

� CC & CEM do not help too much in some aspects of ALC.

Let´s have a look ……….

Current methodology

� CC part 3 & CEM

� Site Certification Supporting Document

� JIL Minimum DVS requirements for high assurance


Well known SARs’ (ALC) issues in CC.

When analyzing the ALC role in CC we found:

� The broken link between SPD & SARs

o Mapping TOE security capabilities to properties of

the security architecture (ADV_ARC).


o Mapping desirable security properties of the

development process and sites to assurance life

cycle capabilities (ALC).

o Mapping AVA_VAN attack potential methodology to

security in the development environment.



� Vague information and references to the development

process characteristics in the ST.




� Minimum requirements for the development sites

[ALC_DVS.1-1]

The evaluator determines what is necessary by first


The evaluator determines what is necessary by first

referring to the ST for any information that may assist in the

determination of necessary protection. If no explicit

information is available from the ST the evaluator will

need to make a determination of the necessary

measures.

The manufacturing model


Site Certification process

� Site evaluation

AST: SST evaluation� ALC evaluation� ETR

� How to reuse ALC in a later TOE evaluation

o The TOE-ST defines the scope of the development


o The TOE-ST defines the scope of the development

environment by claiming the ALC requirements.

o No changes have been made in the certified

development environment.

o The site certificate fulfill all ALC related SARs of the

TOE-ST � no additional evaluation efforts are

necessary in the TOE evaluation concerning ALC.

Single SST template

� Site Security target content.

1. Introduction

2. Conformance Claim

3. Security Problem Definition


3. Security Problem Definition

4. Security Objectives for the development

environment

5. Extended Components Definition

6. Security Requirements

7. Site Summary Specification

� Common issues in a single SST:

o Security problem based in Risk analysis

o Security objectives for the Site

o ALC SARs: ALC_CMS.1, ALC_CMC.3, ALC_DVS.1

Single SST template


o ALC SARs: ALC_CMS.1, ALC_CMC.3, ALC_DVS.1

� Distinctive issues:

o Implementation of the selected SARs

� Security problem based in Risk analysis: Assets

Single SST template


� Security problem based in Risk analysis: Agents

o Insider with rights

o Insider without any rights

o Outsider with rights

Single SST template


o Outsider with rights

o Outsider without any rights

� Security problem based in Risk analysis: Threats

Single SST template


� Security problem: OSPs

Single SST template


� Security problem: Assumptions.

Single SST template

No assumptions should be included

exempting the developer from meeting the

ALC requirements.


If needed …….

� Should be outside the sphere of influence of the

developer.

� Should be requirements for the final customer:

security, CMC for maintenance, etc.

� Security Objectives of the Site vs. Threats (I).

Single SST template


� Security Objectives of the Site vs. Threats (II).

Single SST template


� Security Objectives of the Site vs. OSPs.

Single SST template


� Security Assurance Requirements to meet Site

objectives. ConfigurationManagement System.

Single SST template



objectives. Developers security (I).

Single SST template



objectives. Developers security (II).

Single SST template



objectives. Life Cycle model.

Single SST template


� Security Assurance Requirements. Application Notes.

Single SST template


� Site Summary Specification (SSS)

o Identify evidence needed for the Site to meet the

SARs and describe how the Site met the SARs.

o ALC_DVS: how it fulfils the attack potential claimed.

Single SST template


o The SSS has to describe WHAT but not HOW.

o Sanitized version of the SST�without SSS.

� Site Summary Specification (SSS). Attack potential.

o Attack potential calculation.

Single SST template


Conclusions - 1st

� Site certification

o Reusability: same area, same procedures

� Significant reduction of time and money efforts.

� Marketing


� Marketing

Conclusions – and 2nd

� The Single SST template:

o May derived in a a PP with the common aspects

helping in the definition of a set of minimum reqs.

for medium assurance (e.g. EAL3 & EAL4).

o May be extended to cover multiple sites in a supply


o May be extended to cover multiple sites in a supply

chain including secure delivery. Main add-ons:

� security measures for transfers between sites

� acceptance procedures.

Jose Emilio Rico

[email protected]@epoche.es

Epoche & Espri, S.L.U.

Avda. de la Vega, 1

28108, Alcobendas, Madrid

Spain

Tel: +34 914-902-900

FAX: +34 916-625-344

Epoche & Espri Corporation

4000 Legato Road, Suite 1100

Fairfax, VA 22033

USA

Tel: +1 888-877-9506

FAX: +1 703-227-7189

Jose Emilio Rico: Single Site Security Target. How to.

Documents

Transcript of Jose Emilio Rico: Single Site Security Target. How to.