Reporting Process#
Inputs#
Results from Product Verification activity
Outputs#
Decision (see Decision Types)
RABET-V Product Report
RABET-V Product Public Report
Workflow#
Review of Product Verification Results and Determination#
An internal review of the Product Verification Results will examine whether the product’s verification met its claims.
The internal review will result in a Verification Status. The possible Verification Statuses are Verified, Conditional Verified, and Returned. These determinations are published in the Public Portal and may be updated if a Verification Status changes, most commonly when a Conditional Verified product has made adjustments that move it to a Verified status.
Verified#
A Verified status means that the product is likely to perform as described in its Product Goals, and Security Claims in the Expected Usage operating environment.
Conditional Verified#
A Conditional Verified status means that while the product is likely to perform as described in its Product Goals and Security Claims in the Expected Usage operating environment, the RABET-V process identified at least one non-critical issue or deviation.
With a Conditional Verification, the RTP is expected to remediate the issue and submit for a re-verification. If no other changes are made to the product, the process for re-verifying is considered part of the same submission and, upon review, can result in the Verification Status being changed to Verified.
Issues and deviations are detailed in the Product Report.
Returned#
A Returned status means that the product does not perform as described in in its Product Goals and Security Claims. It has critical issues or deviations that are unlikely to be addressed through minor fixes. The RABET-V process identified at least one critical issue or deviation, severe enough that additional review will require a new submission.
Issues and deviations are detailed in the Product Report.
Product Report Generation#
Report Template#
The RABET-V Results Summary provides scored outcomes for product security capabilities and security architecture maturity and for organizational software development process maturity. For Revision Submissions, it will include any change from the previous submission.
Product Security Capability Maturity: the quality of the product’s capabilities of the system at providing safeguards under each of these security control families:
Authentication
Authorization
Injection Prevention
Key/Secret/Credentials Management
User Session Management
Logging/Alerting
Data confidentiality and integrity protection
Product Security Architecture Maturity: the quality and reliability of the product’s architecture to support security services and the likelihood that product changes will impact the Product Security Capability Maturity levels:
Authentication
Authorization
Injection Prevention
Key/Secret/Credentials Management
User Session Management
Logging/Alerting
Data confidentiality and integrity protection
Software Development Maturity: the quality of the RTP’s processes in each of these areas:
Governance
Design
Implementation
Verification
Operations
Usability
Product (Revision) Summary
Details about the product that were submitted including its description, expected usage (i.e. use cases), version number(s), etc. This includes the Change List for Revision Submissions.
Verification Methods
Description of how the system was tested to include verification methods used in the testing.
Maturity Trends
A description of what caused a change for any product or process maturity level that changed.
Appendices
Requirements Scores: a list of all individual requirements and whether the RTP is meeting them
Product Public Report Generation#
Each completed Verification will have a public report that provides basic information on the verification. This information will include:
A reference number for the review
The product’s name and version number
The RTP’s name
The initial Verification Status and date
The current Verification Status and date
Contact information for the RTP
Summary scores