Open dundiddat opened 1 year ago
KSinitski
commented
1 year ago There is an existing NDcPPv2.2 RFI 202200 (https://ccusersforum.onlyoffice.com/Products/Files/DocEditor.aspx?fileid=7709345&action=view) that makes fuzz testing optional. However, an alternative Type 4 approach needs to be defined.
kr15tyk
commented
1 year ago RFI 202200 was addressed in Issue #121 .
KSinitski
commented
1 year ago The request to formalize the use of vulnerability scanners, something that is already a requirement with many Schemes, is not the same issue as updating ND SDv3 to incorporate RFI 202200.
Provide the location of the issue A.1.4 para 694
Type 4 Hypotheses – Tool-Generated
What is the enhancement request for the cPP? Please describe. Type 4 Hypotheses – Tool-Generated please consider specifying vulnerability scanning as an alternative to fuzz testing.
Describe the solution you'd like Suggested changes:
The evaluator shall utilize automated vulnerability scanning tools as part of the vulnerability assessment process. It is up to the evaluator to select the applicable tools, however there is an expectation that any utilized tool is actively maintained, and plugin/definitions versions up to date. The scan results must be entered into evaluation evidence in a readable format.