Commit bfa95fcd authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Update NKEV to add automatic update mitigation

parent 7bce1e90

EN-304-625.md

+24 −12
Original line number Diff line number Diff line
@@ -638,14 +638,24 @@ Recognizing that there may be vulnerabilities discovered between the time that a 


The product shall be accompanied by documentation describing how the product may be securely updated, including how to update the product prior to, or as part of, first use.



Guidance: This may include informing the user about automatic secure updates.



  * Applicability: Product expected use is long enough to require updates

  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known exploited vulnerabilities

  * Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

  * Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

  * Verdict: If the secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

  * Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

  * Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results



#### 5.2.X.x **MI-KEVA**: Automatic secure update before or during first use



The product shall implement automatic secure update by default before or during first use.



  * Applicability: Product expected use is long enough to require updates

  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known exploited vulnerabilities

  * Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

  * Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

  * Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

  * Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results



#### 5.2.X.x **MI-KEVM**: Documentation of mitigation of known exploitable vulnerabilities
@@ -673,9 +683,9 @@ The product shall be tested for all known exploitable vulnerabilities to demonst 


  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known exploited vulnerabilities

  * Preparation: Compile a list of known exploitable vulnerabilities in the product and its components and the list of known exploitable vulnerabilities that will be tested

  * Activities: Run the tests and compare the results with the generated list of known exploitable vulnerabilities

  * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or testing requirement => PASS, otherwise FAIL

  * Preparation: Compile a list of known exploitable vulnerabilities in the product and its components, compile a list of known exploitable vulnerabilities that will be tested, collect tests for each one

  * Activities: On a new product, carry out a secure update, run the tests, and compare the results with the generated list of known exploitable vulnerabilities

  * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or mitigation requirement => PASS, otherwise FAIL

  * Evidence: Documented vulnerability handling policy, list of vulnerabilities, test results for each vulnerability or documentation of age of vulnerability, correlation of list of vulnerabilities with test results or documentation of age of vulnerablity



#### 5.2.X.x **MI-SCAN**: No easily scannable known exploitable vulnerabilities
@@ -694,15 +704,17 @@ If automatable and freely-usable vulnerability scanners are available for the pr 
  * Evidence: Documented vulnerability handling policy, list of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations



| Risk factors                                         | Requires mitigations |

|--------------------------------------------|----------------------|

|------------------------------------------------------|----------------------|

| max(PHY, SFT, NET, SDS, SDT, FUN, DOS) < 1           | KEVD                 |

| max(PHY, SFT, NET, SDS, SDT, FUN, DOS) < 2           | KEVD, KEVL           |

| all others                                 | KEVD, (KEVT or SCAN) |

| max(PHY, SFT, NET, SDS, SDT, FUN, DOS) > 1 & ADM < 1 | KEVD, (KEVT or SCAN) |

| all others                                           | KEVA, (KEVT or SCAN) |



| Security Profile | Requires mitigations |

|------------------|----------------------|

| WD-1, WL-1, VI-1 | KEVD                 |

| all others       | KEVD, (KEVT or SCAN) |

| WD-4             | KEVD, (KEVT or SCAN) |

| all others       | KEVA, (KEVT or SCAN) |



### 5.2.X **TR-SSDD**: Secure design and development