Extended eTVRA vs. security checklist: Experiences in a value-web

13 years 2 months ago

Download eprints.eemcs.utwente.nl

Abstract--Security evaluation according to ISO 15408 (Common Criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a Common Criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a Common Criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (Protection Profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider. The ...

Ayse Morali, Emmanuele Zambon, Siv Hilde Houmb, Ka

Real-time Traffic

Common Criteria | Common Criteria Evaluation | ICSE 2009 | Security Evaluation | Software Engineering |

claim paper

Post Info
More Details (n/a)

Added	19 Feb 2011
Updated	19 Feb 2011
Type	Journal
Year	2009
Where	ICSE
Authors	Ayse Morali, Emmanuele Zambon, Siv Hilde Houmb, Karin Sallhammar, Sandro Etalle

Comments (0)

Sciweavers

Extended eTVRA vs. security checklist: Experiences in a value-web

Common Criteria | Common Criteria Evaluation | ICSE 2009 | Security Evaluation | Software Engineering |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers