Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can ISO15408 evaluated products be trusted?

From: HHikita <h_hikita () yahoo co jp>
Date: Sun, 22 May 2005 01:13:42 +0900
Nora Barrera wrote:


I was told that "internal risk" is not taken into
account in Japan. No employee would hack his own
company.
 


The traditional employment system in Japan was  "Shuushin Koyou".
You were basically assured your job until retirement.
So before there were any Information technology,  30years of your
annual income was enough to mitigate most threats.

There are still companies  which do not take "internal risk"  into
account, and you are able to read about their consequences
in the newspapers daily.


How can this be evaluated? The evaluation laboratory
says "Not clear, not understandable". And the guy who
wrote the description answers "you are too stupid to
understand it". What happens next?
 



The evaluator would at least have to specify where and/or what in the
Security Target
that he finds to be "Not clear, not understandable". And the developer
is given a chance to
take action against these claims.

If the issue is not resolved at the end of the evaluation, then the
verdict would be
"fail" or "inconclusive".


_Supposed_
You said it!


You would have to do some homework on the kind of product the PP or ST
is about.

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: