lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat May 21 17:13:58 2005 From: h_hikita at yahoo.co.jp (HHikita) Subject: Can ISO15408 evaluated products be trusted? Nora Barrera wrote: >I was told that "internal risk" is not taken into >account in Japan. No employee would hack his own >company. > > The traditional employment system in Japan was "Shuushin Koyou". You were basically assured your job until retirement. So before there were any Information technology, 30years of your annual income was enough to mitigate most threats. There are still companies which do not take "internal risk" into account, and you are able to read about their consequences in the newspapers daily. >How can this be evaluated? The evaluation laboratory >says "Not clear, not understandable". And the guy who >wrote the description answers "you are too stupid to >understand it". What happens next? > > The evaluator would at least have to specify where and/or what in the Security Target that he finds to be "Not clear, not understandable". And the developer is given a chance to take action against these claims. If the issue is not resolved at the end of the evaluation, then the verdict would be "fail" or "inconclusive". >_Supposed_ >You said it! > You would have to do some homework on the kind of product the PP or ST is about. __________________________________ Do You Yahoo!? Upgrade Your Life http://bb.yahoo.co.jp/
Powered by blists - more mailing lists