compgeeksquires
commented
2 months ago This is requesting addition of cloud-focused penetration testing?
Open jgb1128 opened 3 months ago
compgeeksquires
commented
2 months ago This is requesting addition of cloud-focused penetration testing?
bharveyTX
commented
2 months ago Refer to Vuln. Assessment Methodology section and ask if it meets concern.
heimannrj
commented
2 months ago I think this may be scheme dependant. Would it be helpful to add some language in the AVA Methodology section to acknowledge that threat and threat vectors in cloud envionments may be managed differently across schemes? Also, I think the German comment is adding to the scope of what a TOE Admin is. In this context they seem to have some architecture authority. Not sure that is appropriate. Again, this may be a scheme nuance.
bharveyTX
commented
4 days ago We believe that the AVA section can not be overly prescriptive as it is still a PP and Scheme consideration.
To continue discussion next call.
Page 37, 2nd to last bullet "The same notion of needing the operational environment to be a “trusted platform” applies here – deploying the TOE in a cloud platform and infrastructure has undergone a third-party authorization is important because it helps the evaluator understand the extent to which the TOE relies on the platform and assures that a vulnerable platform does not introduce any significant potential exploits of the TOE itself." What is important to add from a CB perspective: Still, the developer is expected to test state of the art cloud attack vectors in ATE / AVA. This also helps the TOE Admin to determine whether the Platform fulfills the requirements of the Operational Environment.