Handbook for the Computer Security Certification of Trusted Systems

reportActive / Technical Report | Accession Number: ADA390673 | Open PDF

Abstract:

Penetration testing is required for National Computer Security Center NCSC security evaluations of systems and products for the B2, B3, and A1 class ratings of the Trusted Computer System Evaluation Criteria TCSEC. This guideline is a definitive statement of what constitutes good penetration testing, where it fits in the DoD Standard Software Engineering and TCSEC life cycles, and how it is done according to the best available practice, the Flaw Hypothesis Methodology PHM. A review of the TCSEC assurance products is presented, as they form evidence of a chain of reasoning on the compliance of the target system to a given evaluation class, and against which penetration testing is mounted. Flaws in the evidence are the products of penetration testing. To exemplify the methodology, results of past experience are provided throughout. The guideline concludes with a short review of new RD approaches broadly considered penetration testing. An extensive bibliography is provided of work in the field, as are a set of Appendices that provide practical management guidance in planning and performing penetration testing.

Author(s):
Weissman, Clark
Author Organization(s):
INFORMATION ASSURANCE TECHNOLOGY ANALYSIS CENTER FALLS CHURCH VA
Descriptive Note:
Technical rept.
Supplementary Note:
DOI: 10.21236/ADA390673
Pagination:
0066

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:
Approved For Public Release

RECORD

Collection: TR
Identifying Numbers
Report Number(s):
IA-00009
Monitor Series:
DTIC/FB
 Subject Terms
Joint Capability Areas:
JCA_5_Command and Control; JCA_5.3_Planning; JCA_7_Protection; JCA_5.3.2_Apply Situational Understanding; JCA_5.3.3_Develop Strategy; JCA_5.3.4_Develop Courses of Action; JCA_5.3.5_Analyze Courses of Action; JCA_6_Net Centric; JCA_7.1.2_Prevent Non-kinetic Attack; JCA_7.1_Prevent; JCA_6.4.1_Secure Information Exchange; JCA_7.2.1_Mitigate Lethal Effects; JCA_7.2_Mitigate; JCA_6.4.2_Protect Data and Networks; JCA_6.4_Information Assurance; JCA_4.7.2_Installation Services; JCA_4.7_Base and Installations Support; JCA_4.5_Operational Contract Support; JCA_4.5.1_Contract Support Integration; JCA_4.2_Supply; JCA_6.1.3_Switching and Routing
Modernization Areas:
Cyber
Communities of Interest:
Cyber
Descriptor(s):
*DATA PROCESSING SECURITY, *COMPUTER APPLICATIONS, *HANDBOOKS, TEST AND EVALUATION, COMPUTER PROGRAMS, SOFTWARE ENGINEERING, NATIONAL SECURITY, MANAGEMENT PLANNING AND CONTROL, BIBLIOGRAPHIES, STANDARDS, SYSTEMS ANALYSIS, LIFE CYCLES, HYPOTHESES
Field(s)/Group(s):
Information Science, Computer Systems Management and Standards
Keyword(s):
IATAC COLLECTION, TCSEC(TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA), *COMPUTER SECURITY CERTIFICATION
Report Date:
1995 Jan 24
Creation Date:
2001 Jun 20