Nihil, you make a lot of retarded comments but this:
Quote:
How many viruses, trojans worms etc have we seen since then
takes the cake. It shows such a lack of understanding of the TCSEC, ITSEC, and CC that I can't even believe it.
When do transitional state models become obsolete? With the advent of new viruses, worms, and trojans? Of course not. All processes fall within the same model be they good processes or the product of malware.
The TCSEC is still valid today, it has merely been expanded and reorganized by the CC.
Quote:
Rules are made to be broken, corners to be cut
I guess now we see why the rest of the world is so incredibly far behind the US when it comes to computer security. So... what was the last high assurance system designed in the UK or by a UK company? Or... any other country for that matter?
You operate in a very different "real world" than those of us who require high assurance environments. If I cut corners and break rules... I get to go to federal prison. I think being anal raped as the result of following your advice is just a little too "real world" for me.
Quote:
I do not set great store by vendor's manuals when it comes to processes or security.
Fortunately for you, your job doesn't require it... in fact you prolly use systems that don't even have TFMs.
Quote:
Firstly they are no substitute for a proper business analysis exercise and secondly
Nor are they intended to be... they tell you how to apply the security policy to correctly meet your business requirements. Don't you find it difficult to debate something that you don't understand?
Quote:
if they were that damn good, why do all these vendors keep releasing security patches (but never a patch for the manuals?)
I've never needed to patch a system that followed the TFM, the majority of patches are for superfluous services or misconfigurations that allow a code level exception to violate the security policy. I cannot recall a single exploit for ANY system in the last 15 years that violated the TFM. Additionally TFMs are updated to comply with changes in the system... and would comply with changes in vulnerability types, except no new vulnerability types have been discovered in the last 30 years or so.
Quote:
You can have the crappest policies, processes and procedures on earth, but so long as they are properly documented and adhered to, you will pass certification.
This is not true either... ISO-17799 requires that you document how your security policies have been implemented in a manner that meets the business requirements. If they don't do that, how can you document it?
Quote:
I do not see this as a problem so long as people understand that these limitations exist..............there is no such thing as the silver bullet
Yes, there is such a thing as a silver bullet... it is called a process of continual improvement. ISO-21827 will get you on your way with regard to security.
cheers,
catch