ISO 15408 Standard for Information Technology Security Evaluation is the international standard known as the "Common Criteria." While it was designed for benchmarking commercial products, its assets can be effectively used to guide project teams in building products that take a "Defense in Depth" approach to security protection.

Many (in fact, most) threats detailed in the standard cannot be directly handled programmaticallly.  Many address physical environment, system interdependencies, user and administrative processes and procedures, and human fault and ethics. Nevertheless, creative project teams understand that by creating security focused documentation and user manuals, and by recommending security focused administrative and management protocols, they can have a huge influence on how security threats outside their zone of responsibility--but affecting their product--will be handled.

This presentation walks you through the list of threat categories listed in the standard. Use these categories as the foundation threat list on your projects, and supplement it with lists that are technology, environment or function specific to ensure you are taking a true, comprehensive approach to product security protection.

ISO 15408 Common Criteria Threat Categories

More Presentations

More on Standards & Best Practices