标准摘要
[中文适用范围]: 本技术报告细化了ISO/IEC 18045定义的AVA_VAN保证族活动,并针对执行ISO/IEC 15408评估提供更具体的指导,以识别、选择和评估与软件目标相关的潜在漏洞。本技术报告利用公开的信息安全资源支持ISO/IEC 18045漏洞分析活动的方法。当前的技术报告使用公共弱点枚举(CWE)和公共攻击模式枚举和分类(CAPEC),但不排除使用其他适当资源的可能性。此外,本技术报告并非旨在涵盖所有可能的漏洞分析方法,包括那些超出ISO/IEC 18045活动范围的方法。本技术报告未定义某些高保证ISO/IEC 15408组件的评估器动作,在这些情况下尚未达成广泛一致的指导。 [外文原描述]: ISO/IEC TR 20004:2015 refines the AVA_VAN assurance family activities defined in ISO/IEC 18045 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation. This Technical Report leverages publicly available information security resources to support the method of scoping and implementing ISO/IEC 18045 vulnerability analysis activities. The Technical Report currently uses the common weakness enumeration (CWE) and the common attack pattern enumeration and classification (CAPEC), but does not preclude the use of any other appropriate resources. Furthermore, this Technical Report is not meant to address all possible vulnerability analysis methods, including those that fall outside the scope of the activities outlined in ISO/IEC 18045. ISO/IEC TR 20004:2015 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
英文名称Information technology - Security techniques - Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045