Dealing with Patch Management in Common Criteria – Lesson Learned from Study Period in SC27 WG3 (S30c)
The responsibility for updating Common Criteria has been transferred from CCDB to SC27 WG3. Several major changes are in progress in ISO 15408 including addition of new topics as patch management. As rapporteur of study period dedicated to patch management for ISO 15408, the speaker will explain the different challenges to face to include such topic in new release of ISO 15408. More specifically, the presentation will detail how currently this topic is addressed in several technical domains and associated protection profiles, and will then summarize how the following points will be addressed:
a) What vocabulary to use to describe certified TOE and TOE with patch(es),
b) What security objectives and SFR to cover TOE patch features,
c) What security objectives and SFR to cover additional code features,
d) What security objectives and SAR to cover a Patch Development Process,
e) What security objectives and SAR to cover a Patch Deployment Process.
The presentation will conclude with a look at potential impacts on further evaluations.