Chapter 26 System Evaluation and Assurance

《Chapter 26 System Evaluation and Assurance》由會員上傳分享，免費在線閱讀，更多相關內容在學術論文-天天文庫。

1、CHAPTER26SystemEvaluationandAssuranceIfit’sprovablysecure,itprobablyisn’t.—LarsKnudsenIthinkanytimeyouexposevulnerabilitiesit’sagoodthing.—AttorneyGeneralJanetReno[1068]OpensourceisgoodforsecuritybecauseitpreventsyoufromeventryingtoviolateKerckhoffs’sLaw.—EricRaymond26.1IntroductionIvecoveredalo

2、tofmaterialinthisbook,someofitquitedif?cult.ButIveleftthehardestpartstothelast.Thesearethequestionsofassurancewhetherthesystemwillworkandevaluationhowyouconvinceotherpeopleofthis.Howdoyoumakeadecisiontoshiptheproduct,andhowdoyousellthesafetycasetoyourinsurers?Assurancefundamentallycomesdowntothe

3、questionofwhethercapablemotivatedpeoplehavebeatuponthesystemenough.Buthowdoyoude?neenough?Andhowdoyoude?nethesystem?Howdoyoudealwithpeoplewhoprotectthewrongthing,becausetheirmodeloftherequirementsisout-of-dateorplainwrong?Andhowdoyouallowforhumanfailures?Therearemanysystemswhichcanbeoperatedjust

4、?nebyalertexperiencedprofessionals,butareun?tforpurposebecausetheyretootrickyforordinaryfolktouseorareintolerantoferror.Butifassuranceishard,evaluationisevenharder.Itsabouthowyouconvinceyourboss,yourclientsand,inextremis,ajurythatthesystem857858Chapter26■SystemEvaluationandAssuranceisindeed?tfor

5、purpose;thatitdoesindeedwork(orthatitdidworkatsomeparticulartimeinthepast).Thereasonthatevaluationisbothnecessaryandhardisthat,often,oneprincipalcarriesthecostofprotectionwhileanothercarriestheriskoffailure.Thiscreatesanobvioustension,andthird-partyevaluationschemessuchastheCommonCriteriaareofte

6、nusedtomakeitmoretransparent.26.2AssuranceAworkingde?nitionofassurancecouldbeourestimateofthelikelihoodthatasystemwillfailinaparticularway.Thisestimatecanbebasedonanumberoffactors,suchastheprocessusedtodevelopthesystem;theidentityofthepersonorteamwhodevelopedit;particulartechnicalassessments,suc

7、hastheuseofformalmethodsorthedeliberateintroductionofanumberofbugstoseehowmanyofthemarecaughtbythetestingteam;andexperi-encewhichultimatelydependsonhavingamodelofhowreliabilitygrows(ordecays)overtimeasasystemissubjectedtotes