200 likes | 424 Views
Guideline for Developer Documentation. Christian Krause. Federal Office for Information Security. 8th ICCC / September 26th, 2007. What makes the use of the CC/CEM for developer difficult ?. CEM contains detailed requirements regarding the developer evidence
E N D
Guideline forDeveloper Documentation Christian Krause Federal Office for Information Security 8th ICCC / September 26th, 2007
What makes the use of the CC/CEM for developer difficult? • CEM contains detailed requirements regarding the developer evidence • Therefore developers who intend to get involved in a CC evaluation has to consult the CEM
What makes the use of the CC/CEM for developer difficult? • Structure and content of the CEM has been optimised to serve as an evaluation directive for evaluators • That makes the use of the CEM for developers in particular with less CC experience difficult
What makes the use of the CC/CEM for developer difficult? A lot of information is only relevant for the evaluation, but not for the preparation of the developer evidence • ADV: Evaluator analyses regarding accuracy • Requirements regarding site visits • ATE_IND • AVA_VAN • Guidance on sampling strategies • ...
What makes the use of the CC/CEM for developer difficult? The motivation of the requirements is not obvious in any case • What’s the use of so much paper work? The navigation is circumstantially for developers • e. g. developers has to consult the CC for the assurance component corresponding to the chosen EAL and then search in the CEM for the right requirements
Developer Guideline To ease the adoption of the CC for developers with less CC experiences, BSI has issued a Guideline for Developer Documentation • Covering all assurance components up to EAL5 (without classes ASE/APE which are considered in a separate ST/PP Guide)
Content and Structureof the Developer Guideline The Guideline offers assistance to developers by • extracting the information regarding the developer evidence from the CC/CEM, • structuring the information customised for the developer needs, • explanation of the context and background, • examples and • a sample document structure with explanations for the use as template for the developer documentation
Introduction to CC and CEM • Short Introduction to CC/CEM with overview of assurance classes • Explanation of the differences between the EALs • What does a higher EAL mean for • developer • evaluator • customer • Description of the additional requirements from an EAL to the next higher EAL
Introduction to CC and CEM Example:
Extracted Requirementsfor developer evidence • Requirements for developer evidence • labelled with colours for simple navigation • extract of requirements that have to be fulfilled by the developer • prepared in an order suitable from a developer’s view • explanation of related evaluator actions
Explanation of the context If reasonable additional information is given in a structured form • Background • Elucidation of the background • Note • Hint for developer • Role in the evaluation process • Explanation of the role in the evaluation process (What is the goal of the requirement?) • Examples • Depict how a requirement could be fulfilled
Explanation of the context Example:
Explanation of the context Example:
Sample Document Structure Sample Document Structure with explanations • Can be used by developers as template for the preparation of developer documentation • Is a possibility to simplify evaluations by providing a standard structure for developer documentation
Sample Document Structure Example (1):
Sample Document Structure Example (2):
Download Guideline for Developer Documentation • www.bsi.bund.de/zertifiz/zert/index_en.htm
Contact Bundesamt für Sicherheit in der Informationstechnik (BSI) Christian Krause Godesberger Allee 185-189 53175 Bonn Tel: +49 (0) 3018 - 9582-5116 Fax: +49 (0) 3018 - 109582-5116 Christian.Krause@bsi.bund.de www.bsi.bund.de www.bsi-fuer-buerger.de