The Design And Implementation Of Security Evaluation Repository Based On Common Criteria

With the rapid development of computer software and its deepening applicationin all the fields of society, Software security issues increasingly prominent, hasbecome the focus of all industries. As an effective way to improve the quality ofsoftware security, the software security evaluation based on Common Criteria hasvery important significance for the software security issues solving.Protection Profile and Security Target documents are the important foundation ofthe CC evaluation, and data related to software security is the key to develop PP andST documents. This paper introduces the concepts of the flaws, attack patterns,evaluation assurance level and security needs level into the export process of securityrequirements in CC, make it more perfect. And with the improved process for frame,This paper complete the description, classification and storage of assets, flaws, threats,attack patterns and the mapping of them. Combined with the existing research results,such as assumptions, organizational security policies, security objectives and securityrequirements and so on to build a security evaluation repository which Covercomprehensive information. In addition, this paper extends Protection Profile andSafety Target documents based on security evaluation repository. Introduce relatedcontent of assets, flaws, evaluation assurance level and security needs level into them,make it more accurate to follow the improved export process of security requirements.In order to be able to effectively manage and maintain the data in the securityevaluation repository, this paper also developed a security evaluation repositorymanagement system. At last, through an example of export for security requirementsto illustrate the data of the repository is real and available.The security evaluation repository provides a powerful data support for softwaresecurity evaluation. Its management system can help evaluator with maintenancethese data effectively, ensure the accuracy and the long-term effectiveness andavailability of the data. As a result, the Protect Profile and Security Target can bemore accurate. This also improves the accuracy of the software security evaluation tosome extent.