Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Comparing Common Criteria's Vulnerability Analysis with SAFECode's Secure Coding Practices
KTH, School of Electrical Engineering and Computer Science (EECS).
KTH, School of Electrical Engineering and Computer Science (EECS).
2019 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesis
Abstract [en]

Common Criteria is today used by multiple countries and authorities, to evaluate and certify secure IT products. This process is a lengthy one, that can take upwards of eighteen months. This thesis tries to solve this problem by seeing if the vulnerability analysis part of the Common Criteria on evaluation assurance level two can be replaced, by making sure that the development of the product was performed according to secure coding practices presented by SAFECode.To reach our conclusion we applied both the vulnerability analysis of Common Criteria, and the coding standards of SAFECode on a product to see what vulnerabilities we could find. After performing both of the evaluations of the product according to each process, and analysing the results. By looking at the results from both processes we were able to see if Common Criteria and SAFECode had any connections or crossovers.We found that the vulnerabilities that the Common Criteria found would not have been present if the secure coding practices of SAFECode had been used during the development meaning SAFECode could in some way be used with common Criteria. We did not find evidence that proves that the vulnerability analysis cant be replaced, we therefore imply that the possibility to replace or supplement exists for evaluation assurance level two. More research is needed on this question to provide a guarantee, for any real world application.

Abstract [sv]

Idag används Common Criteria av flertalet länder och myndigheter för att utvärdera och certifiera säkra IT produkter. Detta är en lång process som kan ta upp till arton månader att utföra. Den här avhandlingen försöker lösa detta problem genom att testa om sårbarhetsanalysen i Common Criteria på "Evaluation Assurance Level" två kan bli utbytt, genom att säkerhetsställa att framtagningen av produkten görs enligt en metod för säker kod-framtagning presenterad av SAFECode.För att komma fram till vår slutsats applicerade vi både sårbarhetsanalysen från Common Criteria, och metoden för säkra kod-framtagning från SAFECode på en produkt för att se vilka sårbarheter som kunde hittas. Efter att båda processerna har utförts på produkten, så analyserades resultaten. Genom att kolla på resultaten från båda metoder kunde vi se om det fans några kopplingar eller överlappande resultat.Vi upptäckte att de sårbarheter som Common Criteria hittade inte skulle finnas om man hade använt de säkra kod-framtagnings metodern från SAFECode under framtagningsprocessen av produkten. Vi hittade inget som bevisar att sårbarhetsanalysen inte kan bli utbytt och antyder därför att det finns möjlighet till att byta ut Common Criterias sårbarhetsanalys process med SAFECode processen eller tillägga SAFECode processen som hjälpmedel för "Evaluation Assurance Level" två. Mer forskning behövs i detta ämne för att ge en garanti att detta gäller för alla tillämpningar i den verkliga världen.

Place, publisher, year, edition, pages
2019. , p. 35
Series
TRITA-EECS-EX ; 2019:583
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:kth:diva-259201OAI: oai:DiVA.org:kth-259201DiVA, id: diva2:1350748
External cooperation
FMV
Supervisors
Examiners
Available from: 2019-09-12 Created: 2019-09-12 Last updated: 2019-09-12Bibliographically approved

Open Access in DiVA

fulltext(708 kB)9 downloads
File information
File name FULLTEXT01.pdfFile size 708 kBChecksum SHA-512
e6a9eb7d8357a0cd62fbfbba01b967603f28205e0efc37692036811ed7f5f1810aff340c88be31962c77714cdb315672473ede5d2abc8463931a6a4f33bc1e2c
Type fulltextMimetype application/pdf

By organisation
School of Electrical Engineering and Computer Science (EECS)
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 9 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 36 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf