[RDI 14] 5.2.4 TR-SCUD

The product shall provide a method of securely updating any software in the product via the product itself.

* Applicability: Product expected use is long enough to require updates

* Applicability: All products that include a software update mechanism.

* Reference: TR-SCUD

* Objective: Prevent exploitation of known vulnerabilities

* Preparation: Prepare an update for each part of the product that can be updated with a different version number from the currently installed product version

The technical documentation provided with the product shall document that the operational environment shall provide a method of securely updating the product.

* Applicability: Product expected use is long enough to require updates

* Reference: TR-SCUD

* Objective: Prevent exploitation of known vulnerabilities

* Activities: Assess the documentation provided with the product

The technical documentation provided with the product shall document that the operational environment shall provide a method of automatically securely updating the product with an option for the product to be configured to disable automatic updates.

* Applicability: Product expected use is long enough to require updates

* Reference: TR-SCUD

* Objective: Prevent exploitation of known vulnerabilities

* Activities: Assess the documentation provided with the product

Updates for the product are cryptographically signed. The product shall verify the signature before installation in order to mitigate the installation of tampered and/or modified updates.

* Applicability: Product expected use is long enough to require updates

* Reference: TR-SCUD

* Objective: Prevent the installation of modified updates.

* Activities: For each part of the product that can be updated, attempt installation of: