US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   Matt Bishop
Organization :   University of California Davis
Post Date :   9/30/2005

Section Comments
Section :  20.1.3.1
Page no. :  
Line no.:  
Comment :  The current certification
process—involving the standards, vendors, and ITA—does not include threat modeling or threat identification.

It is not immediately apparent how these processes from commercial software development can be integrated
into the certification process.
This paper proposes a division of labor designed to integrate these critical phases of secure software development into the certification procedure.

In summary, the standards should require that vendors provide both threat and system models, and suggest partial models when appropriate. For example, certain threats are common to
all jurisdictions and the standards should require vendors to include them in their threat model. The vendors
should provide models for their specific systems, so that others can see what threats their systems are designed to counter and how those systems counter those threats. Vendor documentation should note those threats they deem unrealistic or unthwartable.