Abstract
IT Security evaluation based on Common Criteria (CC, ISO/ IEC 15408), international standard for evaluation of security properties of IT products and systems, requires evaluation deliverables such as development and operational documents of TOE (Target of Evaluation) according to EAL (Evaluation Assurance Level). As most developers commonly prepare evaluation deliverables after their products have been developed, additional costs and time have been invested to be ready for evaluation evidences in reverse-engineering. But CC does not provide any methodological support to prepare evaluation deliverables, and furthermore, related work is not sufficient. In this paper, we present how CC applies to development process to improve security of their products and reduce the time and costs to make IT security evaluation. We demonstrate our idea by means of case study – developing MTOS 7.5, security enhanced UNIX-like operating system based on BSD 4.4 according to EAL3 in CC.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)
ISO/IEC 15408-1: Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model (August 1999)
ISO/IEC 15408-2: Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional requirements (August 1999)
ISO/IEC 15408-3: Information technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements (August 1999)
CCEMB, Common Methodology for Information Technology Security Evaluation Part2: Evaluation Methodology Version 1.0 (August 1999)
ISO/IEC 12207: Information technology - Software life cycle processes, pp. 6-46 (September 1995)
Kim, S.h., et al.: SSE-CMM BPs to Meet the Requirements of ALC DVS.1 Component in CC. In: Yazıcı, A., Şener, C. (eds.) ISCIS 2003. LNCS, vol. 2869, pp. 1069–1075. Springer, Heidelberg (2003)
Kim, S.h., et al.: Supplement of Security-Related Parts of ISO/IEC TR 15504. In: Yazıcı, A., Şener, C. (eds.) ISCIS 2003. LNCS, vol. 2869, pp. 1084–1089. Springer, Heidelberg (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, S.H., Leem, C.S. (2004). A Case Study in Applying Common Criteria to Development Process to Improve Security of Software Products. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds) Computational Science and Its Applications – ICCSA 2004. ICCSA 2004. Lecture Notes in Computer Science, vol 3043. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24707-4_120
Download citation
DOI: https://doi.org/10.1007/978-3-540-24707-4_120
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22054-1
Online ISBN: 978-3-540-24707-4
eBook Packages: Springer Book Archive