Commit 10e06986 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Removed documentation from exploit requirements

Closes #96 HAS35
parent 1a117114
Loading
Loading
Loading
Loading
+9 −7
Original line number Diff line number Diff line
@@ -104,21 +104,23 @@ System operation is always an interplay of multiple components. Modern software

### 5.1.1 No known exploitable vulnerabilities

If the deliverable contains or requires an operating system the operating system is expected to be regularly updated and maintained. Depending on the chosen delivery method, the maintenance of the operating system can be provided by the customer of the product. Note that a container has always an operating system.
If the deliverable contains or requires an operating system the operating system is expected to be regularly updated and maintained.
Depending on the chosen delivery method, the maintenance of the operating system can be provided by the customer of the product.
Note that a container has always an operating system.

If automateable and freely-usable vulnerability scanners are available the product shall satisfy the following with respect to the most comprehensive of such scanners.

-   **[REQ-EXPLOIT-0a]** The product shall have no vulnerabilities discovered by scans.
-   **[REQ-EXPLOIT-0b]** The product shall have only discoverable vulnerabilities whose age is consistent with the documentation of how long vulnerabilities may go unfixed after public disclosure.
-   **[REQ-EXPLOIT-0c]** For each detected vulnerability, the product shall have publicly available documentation explaining how the risk has been mitigated.
-   **[REQ-EXPLOIT-0b]** The product shall have only discoverable vulnerabilities whose age is consistent with how long vulnerabilities may go unfixed after public disclosure.
-   **[REQ-EXPLOIT-0c]** For each detected exploitable vulnerability, the product shall have the risk mitigated.

Recognising that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known vulnerabilities both when first made available and when first used by a consumer.
Recognising that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by the system user.

<mark>Turn this into product specific requirement without the docs</mark>

-   **[REQ-EXPLOIT-1a]** The product shall be accompanied by documentation describing how the product may be securely updated,
-   **[REQ-EXPLOIT-1b]** including how to update the product prior to, or as part of, first use.
-   **[REQ-EXPLOIT-2]** The product shall have OS and Application upgrade instructions which makes it possible to obtain the set High Availability targets.
-   **[REQ-EXPLOIT-1a]** The product shall be securely updated.
-   **[REQ-EXPLOIT-1b]** The product shall be securely updated as part of first use.
-   **[REQ-EXPLOIT-2]** The product shall have divorserd OS and Application upgrade procedures which makes it possible to obtain the set High Availability targets when the operational environment makes this possible.
-   **[REQ-EXPLOIT-3]** The product shall ensure that the product can be updated at the time of first use to address all known exploitable vulnerabilities which were discovered after the product's placement on the market and before that first use.

More about [High Availability](#53x-high-availability) in its dedicated chapter.