ISO/IEC TR 20004:2012 信息技术 安全技术 依据ISO/IEC 15408和ISO/IEC 18045定义软件漏洞分析

标准编号：ISO/IEC TR 20004:2012

中文名称：信息技术 安全技术 依据ISO/IEC 15408和ISO/IEC 18045定义软件漏洞分析

英文名称：Information technology — Security techniques — Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045

发布日期：2012-08

标准范围

ISO/IEC TR 20004:2012完善了ISO/IEC 18045:2008中定义的AVA_VAN assurance系列活动，并就相关潜在漏洞的识别、选择和评估提供了更具体的指导，以便对评估的软件目标进行ISO/IEC 15408评估。ISO/IEC TR 20004:2012利用共同弱点枚举（CWE）和共同攻击模式枚举与分类（CAPEC）来支持确定和实施ISO/IEC 18045:2008（E）漏洞分析活动范围的方法。ISO/IEC TR 20004:2012没有定义某些高保证ISO/IEC 15408组件的评估员行动，因为目前还没有普遍同意的指南。

ISO/IEC TR 20004:2012 refines the AVA_VAN assurance family activities defined in ISO/IEC 18045:2008 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation.ISO/IEC TR 20004:2012 leverages the Common Weakness Enumeration (CWE) and the Common Attack Pattern Enumeration and Classification (CAPEC) to support the method of scoping and implementing ISO/IEC 18045:2008(E) vulnerability analysis activities.ISO/IEC TR 20004:2012 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.

标准预览图