Home' RTCA Documents for Review : DO-356A Contents 65
© RTCA, 2018
integration of security assurance activities with other assurance processes and
Vulnerability Identification Objectives
The purpose of vulnerability identification is to ensure that the product is free of
exploitable vulnerabilities and to guarantee that all COTS used for the product do not
contain any known applicable vulnerabilities that can impair the safety. Additional
information about vulnerability identification is found in Appendix B.2.1.
As vulnerabilities are discovered, they are analyzed for their impact and stored in the
The vulnerability identification objectives include:
O7.1 Vulnerabilities in security measures and assets that could lead to an
airworthiness security impact are identified.
The situation that a vulnerability may be known as “bug” or defect
for a long time before being recognized as a vulnerability should
be considered. There are known cases where a vulnerability has
been known for years as a defect without realizing the potential
attacks. There are also cases where a vulnerability was
considered “fixed” (by mitigation or prevention of known attacks),
but shown by new attacks to still exist several years later.
O7.2 Vulnerabilities in COTS are identified.
O7.3 Vulnerabilities are evaluated for their potential impact on safety.
O7.5 Vulnerabilities are treated according to their evaluation.
Security Refutation Objectives
For the purposes of this section, refutation is used in the sense of demonstrating the
absence of a problem. Hence, security refutation is demonstrating the absence of
security problems. This procedure is commonly called security penetration testing and
may include fuzz testing. Additional information about refutation is found in Appendix
B.2.3. Some new problems may be discovered during such testing, and if so, should be
evaluated whether they present acceptable risk or not.
The security refutation objectives include:
O8.2 Refutation analyses are performed to identify new vulnerabilities.
O8.4 Refutation tests are performed to evaluate the exposure of vulnerabilities in the
security environment and to challenge the vulnerability evaluation.
There is no direct relation between requirements and refutation
tests. The objective is to ensure that all systems / software /
hardware / interfaces with security requirements are in scope of at
least one refutation test.
O8.6 Refutation test results cover refutation test plans and performed tests. Tests
results are analyzed and discrepancies are justified and traced.
Verification and refutation activities should be performed separately
because they follow different concepts. Verification activities are
requirements-based while refutation activities need to be performed from
an attacker perspective. Separation of verification and refutation test
activities - for example by different test personnel - is needed to avoid
negative influences between verification and refutation activities.
Completely independent test organizations are not required.
Security Risk Assessment Objectives
The purpose of the Security Risk Assessment process is to identify unacceptable
security risks (using the security scope and threat conditions/scenarios) according the
methodology defined in the security plan and to define requirements for security
measures to mitigate them. The security risk assessment process is expected to be
continuous, iterative and closed-loop during the development life-cycle phase.
Links Archive Navigation Previous Page Next Page