This site graciously hosted
by our friends at
5. Survey and Analysis of Related Standards
Table of Contents | Previous Section | Next Section
5.1 Standards bodies
A few standards bodies have demonstrated over many years an abiding interest in security issues.
No generally accepted standard for secure coding practices exists. This conclusion was reached following:
5.3 Other pertinent security standards
Several security standards, of course, have been developed. Most pertain to Information Technology (IT) Security, and several (including the upcoming ISO/IEC 15443 cited below) focus on quality assurance methodologies. The most useful for the purposes of this survey are listed below. Familiarity with each can be valuable, if only to build confidence that it is not the chimerical "secure coding standard" so many are seeking.
There are many possible testing and quality assurance methodologies which can contribute to the production of secure code. Recommending a specific one is outside the scope of this survey; the SSE-CCM, however, is deserving of careful study here.
The best list we have encountered is included in the upcoming standard from ISO/IEC, WD 15443, which was reviewed in draft. Here is the 15443 breakdown of quality assurance means and methods.
The following material, while perhaps not strictly international standards, are of the same stature and provide much useful advice.
The following excerpts from ISO/IEC, WD 15443 provide background on those existing standards, guidelines, and other resources judged to be key to this survey.
The System Security Engineering Capability Maturity Model (SSE-CMM) is based on the fundamental principles and structure of the Systems Engineering Capability Maturity Model (SE-CMM) which is also a specialty Capability Maturity Model (CMM) modeled after the original CMM developed by the Software Engineering Institute (SEI). While CMMs target the management and organizational activities of an organization, the SSE-CMM contains a new set of engineering Key Process Areas (KPA) to place more emphasis on the organization's system security engineering activities. Although the SSE-CMM is a developmental process assurance method, it can also be used by organizations to improve their system security engineering processes to develop Information Technology Security (ITS) products or deliver ITS services (such as a threat and risk assessment) with higher quality and within schedule....The SSE-CMM is a unique model as it details security engineering requirements for engineering security systems and providing engineering security services in addition to the security requirements which the development environment must meet.
The Trusted Capability Maturity Model (TCMM) is a developmental security software assurance standard based on the fundamental principles and structure of the CMM developed by SEI. Although the TCMM is a specialty CMM, it was created by merging the Trusted Software Development Methodology (TSDM) and the SEI CMM resulting in many revised KPAs and a new KPA called Trusted Software Development containing new practices which did not fit under any of the existing KPAs. The TCMM focuses only on the development environment and targets the management and organizational activities of an organization which differs considerably from the SSE-CMM. The TCMM is applicable only to processes and systems. Any processes related to the TOE development are out of scope.
ISO-9000 is a quality assurance standard which contains 20 high level clauses for an organization to satisfy before obtaining ISO 9000 registration. Originally made for manufacturing organizations, it can be applied to software development organizations but requires a lot of interpretation to be applicable. For this reason, ISO 9000-3 guidance for the application of ISO 9001 to the development, supply, and maintenance of software was added to address the confusion and difficulty in applying ISO 9001 to software. ISO 9000-3 contains 22 clauses written specifically for software development and these map back to the actual ISO 9001 standard consisting of 20 clauses. Although the clauses are more specific to software, they are still of sufficient high level to require further interpretation to be applicable to an organization and they do not address information technology security. Note that ISO 9000-3 guidance is limited to software where ISO 9001 and the CC are applicable to hardware in addition to software products and systems.
Compliance to ISO 9000 is achieved by independent auditors inspecting the organization's quality manual and processes and interviewing personnel. An ISO 9000 certificate is only offered to a proper organization such as a company. This differs from the SSE-CMM which can be appraised for an individual group or project within a company or an organization.
ISO 9001 covers a wider scope than the CC requirements from conception to decommissioning of a product which means that an organization looking at being ISO 9001 registered as a way of saving evaluation time will have to implement a quality system covering more areas than required for a CC evaluation. This additional work to obtain ISO 9001 may not be justified.
ISO/IEC 15504 is compatible with CMM. 15504 uses the process dimension and the capability dimension. The base practices are split into organization, management, engineering, customer-supplier and support. 15504 specifies a capability rating of the organization running the development process:
The evaluation criteria "Information Technology Security Evaluation Criteria (ITSEC)" and the evaluation manual "Information Technology Security Evaluation Manual (ITSEM)" are among the predecessor documents of the Common Criteria and of the Common Evaluation Methodology. They have been developed in the early 1990s by the four European nations France, Germany, the Netherlands and the United Kingdom. The ITSEC assurance is based on the approach introduced in the TCSEC. However, the separation between functional and assurance requirements in the ITSEC allows a greater flexibility. The assurance requirements are themselves again split into the two aspects of effectiveness and correctness. Assessment of effectiveness involves consideration of the following aspects of the Target of Evaluation (TOE):
The ITSEM builds on the ITSEC describing how a TOE should be evaluated according to these criteria. The specific objective of the ITSEM is to ensure that there exists a harmonized set of evaluation methods which complements the ITSEC.
The ITSEM was not based on a predecessor document. It presented as such for the first time much background information for the application of the assurance methods outlined in the ITSEC and indirectly also for the assurance methods used in the TCSEC and the CTCPEC.
BS7799 is a British Standard which was developed as a result of industry, government and commerce demand for a common framework to enable companies to develop, implement and measure effective security management practice and to provide confidence in inter-company trading. It is based on the best current information security practices of leading British and international businesses and has met with international acclaim. BS7799 has been adopted by a number of countries as a standard. Discussions are ongoing with a view to agreeing BS 7799 as an International (ISO) standard. BS 7799 has been provided to address the needs of information security management systems within organizations, and consists of two parts:
It is the aim of IT baseline protection, through the appropriate application of organizational, personnel, infrastructure and technical standard security measures, to achieve a security standard for IT systems that is adequate and sufficient as regards medium level protection requirements and can serve as a basis for IT applications requiring a high degree of protection. To this end, the IT Baseline Protection Manual recommends safeguard packages for typical IT configurations, environments and organizational set-ups. For the preparation of this Manual, the German Information Security Agency (GISA)/Bundesamt für Sicherheit in der Informationstechnik (BSI) assumed risk assessment estimates on the basis of known threats and vulnerabilities and has developed packages of measures suited for this purpose. Consequently, the user only has to ensure that the recommended measures will be consistently and fully implemented. At the same time, this helps to ensure that IT security as regards medium -level protection requirements can be achieved in a labor-economical manner, especially since individual system security policies can refer to the IT Baseline Protection Manual. Thus, IT baseline protection becomes a common basis of agreement on measures to meet medium-level protection requirements.
Table of Contents | Previous Section | Next Section
Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.