| |
Firewall Testing About VESARiA |
|
|
Appendix A: The Orange Book on Testing
3.2.3.2 Life-Cycle Assurance
3.2.3.2.1 Security Testing
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation.
A team of individuals who thoroughly understand the
specific implementation of the TCB shall subject its
design documentation, source code, and object code to
thorough analysis and testing. Their objectives shall be:
to uncover all design and implementation flaws that would
permit a subject external to the TCB to read, change, or
delete data normally denied under the mandatory or
discretionary security policy enforced by the TCB; as well
as to assure that no subject (without authorization to do
so) is able to cause the TCB to enter a state such that it
is unable to respond to communications initiated by other
users. The TCB shall be found relatively resistant to
penetration. All discovered flaws shall be corrected and
the TCB retested to demonstrate that they have been
eliminated and that new flaws have not been introduced.
Testing shall demonstrate that the TCB implementation is
consistent with the descriptive top-level specification.
(See the Security Testing Guidelines.)
3.2.3.2.2 Design Specification and Verification
A formal model of the security policy supported by the
TCB shall be maintained over the life cycle of the ADP
system that is proven consistent with its axioms. A
descriptive top-level specification (DTLS) of the TCB
shall be maintained that completely and accurately
describes the TCB in terms of exceptions, error messages,
and effects. It shall be shown to be an accurate
description of the TCB interface.
3.2.3.2.3 Configuration Management
During development and maintenance of the TCB, a
configuration management system shall be in place that
maintains control of changes to the descriptive top-level
specification, other design data, implementation
documentation, source code, the running versionof the
object code, and test fixtures and documentation. The
configuration management system shall assure a consistent
mapping among all documentation and code associated with
the current version of the TCB. Tools shall be provided
for generation of a new version of the TCB from source
code. Also available shall be tools for comparing a
newly generated version with the previous TCB version in
order to ascertain that only the intended changes have
been made in the code that will actually be used as the
new version of the TCB.
This paper, and all contents, are Copyright (C) 1995 by Marcus J. Ranum. Do not duplicate,
re-publish, or reprint them without permission. Published as part of the VESARiA Security Library with permission.
|
 |
Vesaria
3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044
|
