RE: common criteria draft

• Previous message: Chris McNab: "Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Maybe in reply to: Fernando Martins: "common criteria draft"
• Next in thread: kyle@kylelai.com: "New security testing tool"
• Reply: kyle@kylelai.com: "New security testing tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 8 Jan 2003 14:10:32 +0100
From: "Aleksander P. Czarnowski" <alekc@avet.com.pl>
To: "Brewis, Mark" <mark.brewis@eds.com>

> I don't know how many people reading the lists have any
> involvement in formal Evaluation, but I doubt it is very
> many. This isn't really Penetration Testing as the majority
> of people on these lists understand it.
Fully agree. For what most would see as pen-test methodology example I
would advise rather to take a look at Open Source Security Testing
Methodology Manual at http://www.isecom.org/ insted of CC drafts.
> Unless someone works for an Evaluation Facility, then they
> aren't likely to have come across this or have the background
> knowledge to put the document into context.
Actually there are few good reasons to at least read it even if you are
not Evaluation Facility. Formalization of pen-test process is not an
easy task and such documents can positively influence others work in
this field. However one should read other documents regarding CC before
starting with this draft I guess.
> There is some good stuff in there if you need to develop a
> formal method for Penetration Testing, but it isn't an easy
> read. This entire process is still under review, and
> probably won't be finalised until late 2003/early 2004.
This is one of drawbacks that probably keeps people not using it. People
are afraid of using and applying drafts in production environment.
Just my 2 cents
Best Regards,
Aleksander Czarnowski
AVET INS

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Jeremy Bartels: "remote privilege escalation"
• Previous message: Chris McNab: "Checkpoint FW-1 on Nokia - potential user enumeration bug?"
• Maybe in reply to: Fernando Martins: "common criteria draft"
• Next in thread: kyle@kylelai.com: "New security testing tool"
• Reply: kyle@kylelai.com: "New security testing tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: PAWS security vulnerability ... FreeBSD security list" isn't grammatically correct. ... "I told you to post the patch and info to the appropriate FreeBSD security ... "...This point and others are often discussed on the mailing lists, ... (freebsd-questions) May I have permission to travel??????? ... ""Homeland Security Tightens Grip on International Travel ... The Department of Homeland Security proposed new rules back in July ... These lists ... Instead of providing a passenger manifest after departure as now ... (alt.true-crime) RE: PAWS security vulnerability ... You STILL haven't taken this to the correct security mailing list, ... > FreeBSD security ... >>lists, and you aren't the least bit interested in doing what ... >>appropriate forum to post the patch, ... (freebsd-questions) [NEWS] Cisco IOS Stack Group Bidding Protocol Crafted Packet DoS ... Get your security news from a reliable source. ... The SGBP implementation provided by the Cisco Internetwork Operating ... This vulnerability affects any device that runs Cisco IOS and has enabled ... to apply Access Control Lists to prevent untrusted hosts from ... (Securiteam) [Full-Disclosure] "Fud, lies and libel" against (type any name here, Ill use mi2g) ... I am a usual reader of all the major security lists and I laughed ... I'm not affiliated with mi2g. ... questioning the authenticity of the postings) with false vulnerabilities, ... (Full-Disclosure)