In accordance with the Common Criteria (CC), an international standard for IT security evaluation, the documentation which developers give consideration to security in developing products is checked.
The following guides for developers intend to support developers understanding of some viewpoints that are described in the CC.
These guides serve as useful references for developers to make sure the matters to be confirmed, not only in creating the documentation for CC evaluations, but also in developing secure IT products in general.
Secure Guidance Documents Guide for Developers
Even if an IT product is equipped with robust security functionality, the security cannot be assured if a user misuses the product.
Developers are required to provide the guidance documents (manuals) of the product to ensure that users can have a correct understanding of the security-relevant matters when using the product.
Even if security functions are properly implemented in a product, information assets cannot be protected once the security functions themselves are disabled or bypassed by attackers.
Before implementing the security functions, developers have to design the whole structure (Security Architecture) for secure behavior of those security functions.
In addition to ensuring that the security functions work as specified, it is a responsibility for developers to confirm that their product has no vulnerabilities on its implementation and design.
The vulnerability assessment of the CC can be utilized when designing tests and searching for vulnerabilities to analyze.
This Research Report comprehensively identifies the security threats and vulnerabilities of MFPs for the latest security functions and operational environments, and categorizes into two types: for users to take countermeasures on the operational side and for developers to address on the functional side.
It also lists the kinds of vulnerabilities to explain the examples of their attack methods and causes, and discusses measures in terms of operation, development, and examination.
It provides references for confirming threats and vulnerabilities on MFPs, presents appropriate security requirements for procurement, and gives guidance for proper operations and management of MFPs.