Nihil, you make a lot of retarded comments but this:
takes the cake. It shows such a lack of understanding of the TCSEC, ITSEC, and CC that I can't even believe it.
How many viruses, trojans worms etc have we seen since then
When do transitional state models become obsolete? With the advent of new viruses, worms, and trojans? Of course not. All processes fall within the same model be they good processes or the product of malware.
The TCSEC is still valid today, it has merely been expanded and reorganized by the CC.
I guess now we see why the rest of the world is so incredibly far behind the US when it comes to computer security. So... what was the last high assurance system designed in the UK or by a UK company? Or... any other country for that matter?
Rules are made to be broken, corners to be cut
You operate in a very different "real world" than those of us who require high assurance environments. If I cut corners and break rules... I get to go to federal prison. I think being anal raped as the result of following your advice is just a little too "real world" for me.
Fortunately for you, your job doesn't require it... in fact you prolly use systems that don't even have TFMs.
I do not set great store by vendor's manuals when it comes to processes or security.
Nor are they intended to be... they tell you how to apply the security policy to correctly meet your business requirements. Don't you find it difficult to debate something that you don't understand?
Firstly they are no substitute for a proper business analysis exercise and secondly
I've never needed to patch a system that followed the TFM, the majority of patches are for superfluous services or misconfigurations that allow a code level exception to violate the security policy. I cannot recall a single exploit for ANY system in the last 15 years that violated the TFM. Additionally TFMs are updated to comply with changes in the system... and would comply with changes in vulnerability types, except no new vulnerability types have been discovered in the last 30 years or so.
if they were that damn good, why do all these vendors keep releasing security patches (but never a patch for the manuals?)
This is not true either... ISO-17799 requires that you document how your security policies have been implemented in a manner that meets the business requirements. If they don't do that, how can you document it?
You can have the crappest policies, processes and procedures on earth, but so long as they are properly documented and adhered to, you will pass certification.
Yes, there is such a thing as a silver bullet... it is called a process of continual improvement. ISO-21827 will get you on your way with regard to security.
I do not see this as a problem so long as people understand that these limitations exist..............there is no such thing as the silver bullet