标准编号:ISO/IEC TR 20004:2015
中文名称:信息技术 安全技术 根据ISO/IEC 15408和ISO/IEC 18045改善软件脆弱性分析
英文名称:Information technology — Security techniques — Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045
发布日期:2015-12
标准范围
This Technical Report refines the AVA_VAN assurance family activities defined in ISO/IEC 18045 andprovides more specific guidance on the identification, selection and assessment of relevant potentialvulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation. ThisTechnical Report leverages publicly available information security resources to support the methodof scoping and implementing ISO/IEC 18045 vulnerability analysis activities. The Technical Reportcurrently uses the common weakness enumeration (CWE) and the common attack pattern enumerationand classification (CAPEC), but does not preclude the use of any other appropriate resources.Furthermore, this Technical Report is not meant to address all possible vulnerability analysis methods,including those that fall outside the scope of the activities outlined in ISO/IEC 18045.This Technical Report does not define evaluator actions for certain high assurance ISO/IEC 15408components, where there is as yet no generally agreed guidance.
立即下载标准文件