Security System and/or Application Developers,
What are the current guidelines security-relevant applications are being
developed against in order to receive a particular security or
assurance rating? Are there such guidelines? Are there any assurance or
security ratings to obtain? I know from my AT&T Bell Lab days we used the
NCSC Trusted Security Evaluation Criteria (TSEC or orange book) to develop
a B1-rated Unix OS. What exists that is comparable for applications?
The purpose for such guidelines and security ratings would
be so that customers, etc. know what they are REALLY getting in terms of
security.
Thanks,
Cheri Dowell
NASA-Ames Research Center (NASA-ARC)