| | Re: Vulnerability Assessment of a EAL 4 system
> Neil Jones wrote:
>> Thank you for replying.
>> The system is a EAL4 system (using Common Criteria). Do I need to look
>> for the protection profiles on the system? Are there any config files
>> that define these protection profiles (PP)?
>> N J
> The Security Target should be available and this would be a good
> starting point as this should tell you how the system meets the
> Protection Profile to which it conforms. As a little aside I wouldn't
> hold that much faith in an CC evaluation to 'prove' that a system is
> secure. CC is criticised for focusing to heavily on paper work and
> process and little on actually uncovering vulnerabilities.
Exactly. CC is meant to analyze the process, not the product. The CC
doesn't include debugging. The deepest level of analysis is source code
The abbreviations EAL and PP are different sides of the same coin: the
EAL tells the amount of effort put into compliance, and the PP tells
what the end result is trying to be compliant with. If you want to know
something about a product, the PP is more important than the EAL.