WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -998,7 +998,7 @@ The product shall be accompanied by documentation of the secure update methods f
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Objective: Secure updates
* Objective: Prevent exploitation of known vulnerabilities
* Activities: Assess the documentation for completeness
* Verdict: Documentation describes secure update methods sufficiently for a third party to implement them => PASS, otherwise FAIL
* Evidence: Documentation and analysis of completeness
@@ -1009,32 +1009,49 @@ The product shall provide a method of securely updating any firmware or software
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Objective: Prevent exploitation of known vulnerabilities
* Preparation: Prepare an update for each part of the product that can be updated with a different version number from the currently installed product version
* Activities: Check the versions of all parts of the product that can be updated, install the new update, and check the versions again
* Verdict: The second versions read are that of the new product update => PASS, otherwise FAIL
* Evidence: New update version numbers, and log of querying the product parts' versions, installing the update, and querying the versions again
#### 5.2.X.x **MI-SUAP**: Automatic secure update via product
The product shall provide a method of automatically securely updating any firmware or software in the product via the product itself with an option for the user to disable automatic updates.
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Objective: Prevent exploitation of known vulnerabilities
* Preparation: Prepare an update for each part of the product that can be updated with a different version number from the currently installed product version
* Activities: Check the versions of all parts of the product that can be updated, create the conditions that allow automatic secure update to occur, check the versions again, then repeat except disabling automatic updates
* Verdict: For the first test, the second versions read are that of the new product update, and for the second test with automatic updates disabled, the second versions read are the same as the first versions read => PASS, otherwise FAIL
* Evidence: New update version numbers, and log of querying the product parts' versions, installing the update, and querying the versions again
#### 5.2.X.x **MI-SUOE**: Secure update provided by operational environment
The technical documentation provided with the product shall document that the operational environment shall provide a method of securely updating the product.
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Objective: Secure updates
* Objective: Prevent exploitation of known vulnerabilities
* Activities: Assess the documentation provided with the product
* Verdict: Documentation describes requirements for the secure updates provided by the operational environment => PASS, otherwise FAIL
* Evidence: Documentation and analysis of completeness
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
#### 5.2.X.x **MI-SUAO**: Automatic secure update provided by operational environment
The technical documentation provided with the product shall document that the operational environment shall provide a method of automatically securely updating the product with an option for the user to disable automatic updates.
| Security Profile | Requires mitigations |
|---------------------|----------------------|
| WD-\*, WL-\*, VI-\* | SUDC, (SUVP or SUOE) |
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
* Objective: Prevent exploitation of known vulnerabilities
* Activities: Assess the documentation provided with the product
* Verdict: Documentation describes requirements for automatic secure updates provided by the operational environment => PASS, otherwise FAIL
* Evidence: Documentation and analysis of completeness
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
TODO
### 5.2.X **TR-AUTH**: Authentication and access control
