Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Can ISO15408 evaluated products be trusted?
From: HHikita <h_hikita () yahoo co jp>
Date: Sun, 22 May 2005 01:13:42 +0900

Nora Barrera wrote:

I was told that "internal risk" is not taken into
account in Japan. No employee would hack his own

The traditional employment system in Japan was  "Shuushin Koyou".
You were basically assured your job until retirement.
So before there were any Information technology,  30years of your
annual income was enough to mitigate most threats.

There are still companies  which do not take "internal risk"  into
account, and you are able to read about their consequences
in the newspapers daily.

How can this be evaluated? The evaluation laboratory
says "Not clear, not understandable". And the guy who
wrote the description answers "you are too stupid to
understand it". What happens next?

The evaluator would at least have to specify where and/or what in the
Security Target
that he finds to be "Not clear, not understandable". And the developer
is given a chance to
take action against these claims.

If the issue is not resolved at the end of the evaluation, then the
verdict would be
"fail" or "inconclusive".

You said it!

You would have to do some homework on the kind of product the PP or ST
is about.

Do You Yahoo!?
Upgrade Your Life

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]