Commit 3a4550cd authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Update NKEV requirements

parent 1962c015

EN-304-625.md

+13 −16
Original line number Diff line number Diff line
@@ -640,7 +640,7 @@ The product shall be accompanied by documentation describing how the product may 


  * Applicability: Product expected use is long enough to require updates

  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known exploited vulnerabilities

  * Objective: Prevent exploitation of known exploited vulnerabilities at first use

  * Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

  * Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

  * Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
@@ -652,7 +652,7 @@ The product shall implement automatic secure update by default before or during 


  * Applicability: Product expected use is long enough to require updates

  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known exploited vulnerabilities

  * Objective: Prevent exploitation of known exploited vulnerabilities at first use

  * Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

  * Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

  * Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
@@ -667,7 +667,7 @@ The product's development and release process shall include a process to documen 
1. for each detected vulnerability, has documentation of how the risk has been mitigated



  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known exploited vulnerabilities

  * Objective: Prevent exploitation of known exploited vulnerabilities at first use

  * Preparation: Compile a list of known exploitable vulnerabilities in the product and its components

  * Activities: Compare the generated list of known exploitable vulnerabilities with the documentation of the known exploitable vulnerabilities that have been fixed or mitigated in the product

  * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
@@ -682,7 +682,7 @@ The product shall be tested for all known exploitable vulnerabilities to demonst 
1. for each tested vulnerability, the test result shows that the vulnerability has been mitigated



  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known exploited vulnerabilities

  * Objective: Prevent exploitation of known exploited vulnerabilities at first use

  * Preparation: Compile a list of known exploitable vulnerabilities in the product and its components, compile a list of known exploitable vulnerabilities that will be tested, collect tests for each one

  * Activities: On a new product, carry out a secure update, run the tests, and compare the results with the generated list of known exploitable vulnerabilities

  * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or mitigation requirement => PASS, otherwise FAIL
@@ -697,24 +697,21 @@ If automatable and freely-usable vulnerability scanners are available for the pr 
1. for each detected vulnerability, has publicly available documentation explaining how the risk has been mitigated



  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known vulnerabilities

  * Objective: Prevent exploitation of known vulnerabilities at first use

  * Preparation: Select a set of tools meeting the requirements

  * Activities: On a new product, carry out a secure update, run the tools on the product, and examine the documentation for any reported vulnerabilities

  * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL

  * Evidence: Documented vulnerability handling policy, list of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations



| Risk factors                                         | Requires mitigations |

|------------------------------------------------------|----------------------|

| max(PHY, SFT, NET, SDS, SDT, FUN, DOS) < 1           | KEVD                 |

| max(PHY, SFT, NET, SDS, SDT, FUN, DOS) < 2           | KEVD, KEVL           |

| max(PHY, SFT, NET, SDS, SDT, FUN, DOS) > 1 & ADM < 1 | KEVD, (KEVT or SCAN) |

| all others                                           | KEVA, (KEVT or SCAN) |

#### 5.2.X.x Mapping of mitigations to risk factors and security profiles



| Security Profile | Requires mitigations |

|------------------|----------------------|

| WD-1, WL-1, VI-1 | KEVD                 |

| WD-4             | KEVD, (KEVT or SCAN) |

| all others       | KEVA, (KEVT or SCAN) |

| Security profiles            | Mitigations          |

|------------------------------|----------------------|

| WD-1                         | none                 |

| WD-3, WL-1, VI-1             | KEVD, KEVM           |

| WD-2, WD-4, WL-2, WL-3, VI-2 | KEVA, (KEVT or SCAN) |



_See Annex C for rationale._



### 5.2.X **TR-SSDD**: Secure design and development