Keep the Code But Not the Flaws: A New Approach to Source Code Analysis (A21b)
In recent years, the CC community has intensely discussed the pros and cons of source code analysis as part of CC evaluations. There have been numerous concerns about losing intellectual property, and the effectivity and efficiency of such an analysis.
Our new approach resolves these concerns by ensuring that:
1. The TOE developer does not need to disclose the code to the lab or the scheme. Only in case of findings, limited code may be provided to the lab.
2. Still, the lab can effectively and efficiently analyze the code for vulnerabilities, requiring only very limited support from the developer, and
3. Analysis results can be reused across projects, teams and even schemes, thus reaching comparable results on an international level.
This is the first time that a feasible approach to source code analysis for the CC community will be presented that fully satisfies the interests of each involved party: developers, labs, and schemes.