https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21303#M1147 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1475315891">@wentzwu</a>&nbsp;wrote:<BR /><P>When studying Domain 3, Security Architecture and Engineering, of the CISSP CBK, it is not uncommon that CISSP aspirants are confused by the concept of the reference monitor. The following is a summary of my studying the Orange Book to clarify it.</P><P>&nbsp;</P><P><A href="https://wentzwu.com/2019/04/17/the-reference-monitor-concept" target="_blank" rel="noopener">https://wentzwu.com/2019/04/17/the-reference-monitor-concept</A></P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Wentz,</P><P>Thank you. Your illustrations here lead to a nice comparison. However, for most of the younger members of our community, I'd like to point out that the <EM>Orange Book</EM> is the nickname for an out-of-date computer security publication from the U.S. National Security Agency (NSA), officially titled</P><P><EM>DoD 5200.28-STD "Orange Book", DoD Trusted Computer System Evaluation Criteria</EM> (December 26, 1985).</P><P>&nbsp;</P><P>It is the most prominent and well-known book in a series of computer security publications from NSA, called the <EM>Rainbow Series</EM>, since each volume was printed with a different distinctive color cover. They were written and maintained in the 1980's and '90's.&nbsp;</P><P>&nbsp;</P><P>None of the Rainbow Series publications are current or currently valid, but they are an important set with historical significance. They are no longer maintained or published by NSA or the Department of Defense (DoD). However, the U.S. National Institute of Science &amp; Technology Computer Resource Center (NIST CRC) makes many of them available for historical purposes. See&nbsp;</P><P><A href="https://csrc.nist.gov/publications/detail/white-paper/1985/12/26/dod-rainbow-series/final" target="_blank" rel="noopener"><STRONG>White Paper:&nbsp;DoD Rainbow Series</STRONG></A></P><P>and further links back to the more complete collection at the&nbsp;</P><P><A href="https://fas.org/irp/nsa/rainbow.htm" target="_blank" rel="noopener"><STRONG>Federation of American Scientists</STRONG></A></P><P>&nbsp;</P><P>As noted by the FAS, some of the Rainbow Series books were superseded by the&nbsp;</P><P><A href="https://www.niap-ccevs.org" target="_blank" rel="noopener"><STRONG>Common Criteria Evaluation and Validation Scheme (CCEVS)</STRONG></A></P><P>as maintained by the National Information Assurance Partnership (NIAP).</P><P>&nbsp;</P><P>Finally, some U.S. national security organizations and some contractors to those organizations prohibit use of government or corporate computers and networks to access the FAS.org web site. Community members at U.S. DoD, DHS, and Intel Community organizations, and at companies with contracts with those organizations should consult with their information security offices before connecting to FAS.org.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Apr 2019 14:40:27 GMT CraginS 2019-04-17T14:40:27Z https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21295#M1142 <P>When studying Domain 3, Security Architecture and Engineering, of the CISSP CBK, it is not uncommon that CISSP aspirants are confused by the concept of the reference monitor. The following is a summary of my studying the Orange Book to clarify it.</P><P>&nbsp;</P><P><A href="https://wentzwu.com/2019/04/17/the-reference-monitor-concept" target="_blank" rel="noopener">https://wentzwu.com/2019/04/17/the-reference-monitor-concept</A></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ReferenceMonitorConcept.jpg" style="width: 999px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/3142i2224AB0F62CEF9BC/image-size/large?v=v2&amp;px=999" role="button" title="ReferenceMonitorConcept.jpg" alt="ReferenceMonitorConcept.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TCBAccessControl.jpg" style="width: 999px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/3143i7A874E99EB952AD9/image-size/large?v=v2&amp;px=999" role="button" title="TCBAccessControl.jpg" alt="TCBAccessControl.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BellLaPadulaModel.jpg" style="width: 999px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/3144iDD4EE97EAEF27F75/image-size/large?v=v2&amp;px=999" role="button" title="BellLaPadulaModel.jpg" alt="BellLaPadulaModel.jpg" /></span></P> Mon, 09 Oct 2023 09:10:54 GMT https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21295#M1142 wentzwu 2023-10-09T09:10:54Z https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21303#M1147 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1475315891">@wentzwu</a>&nbsp;wrote:<BR /><P>When studying Domain 3, Security Architecture and Engineering, of the CISSP CBK, it is not uncommon that CISSP aspirants are confused by the concept of the reference monitor. The following is a summary of my studying the Orange Book to clarify it.</P><P>&nbsp;</P><P><A href="https://wentzwu.com/2019/04/17/the-reference-monitor-concept" target="_blank" rel="noopener">https://wentzwu.com/2019/04/17/the-reference-monitor-concept</A></P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Wentz,</P><P>Thank you. Your illustrations here lead to a nice comparison. However, for most of the younger members of our community, I'd like to point out that the <EM>Orange Book</EM> is the nickname for an out-of-date computer security publication from the U.S. National Security Agency (NSA), officially titled</P><P><EM>DoD 5200.28-STD "Orange Book", DoD Trusted Computer System Evaluation Criteria</EM> (December 26, 1985).</P><P>&nbsp;</P><P>It is the most prominent and well-known book in a series of computer security publications from NSA, called the <EM>Rainbow Series</EM>, since each volume was printed with a different distinctive color cover. They were written and maintained in the 1980's and '90's.&nbsp;</P><P>&nbsp;</P><P>None of the Rainbow Series publications are current or currently valid, but they are an important set with historical significance. They are no longer maintained or published by NSA or the Department of Defense (DoD). However, the U.S. National Institute of Science &amp; Technology Computer Resource Center (NIST CRC) makes many of them available for historical purposes. See&nbsp;</P><P><A href="https://csrc.nist.gov/publications/detail/white-paper/1985/12/26/dod-rainbow-series/final" target="_blank" rel="noopener"><STRONG>White Paper:&nbsp;DoD Rainbow Series</STRONG></A></P><P>and further links back to the more complete collection at the&nbsp;</P><P><A href="https://fas.org/irp/nsa/rainbow.htm" target="_blank" rel="noopener"><STRONG>Federation of American Scientists</STRONG></A></P><P>&nbsp;</P><P>As noted by the FAS, some of the Rainbow Series books were superseded by the&nbsp;</P><P><A href="https://www.niap-ccevs.org" target="_blank" rel="noopener"><STRONG>Common Criteria Evaluation and Validation Scheme (CCEVS)</STRONG></A></P><P>as maintained by the National Information Assurance Partnership (NIAP).</P><P>&nbsp;</P><P>Finally, some U.S. national security organizations and some contractors to those organizations prohibit use of government or corporate computers and networks to access the FAS.org web site. Community members at U.S. DoD, DHS, and Intel Community organizations, and at companies with contracts with those organizations should consult with their information security offices before connecting to FAS.org.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Apr 2019 14:40:27 GMT https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21303#M1147 CraginS 2019-04-17T14:40:27Z https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21337#M1155 <P><SPAN>Thank you, Dr. Shelton, for your informative supplement.</SPAN></P> Wed, 17 Apr 2019 23:42:22 GMT https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21337#M1155 wentzwu 2019-04-17T23:42:22Z https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21417#M1173 <P>Although times and reference sources and materials have changed "security kernels" are still one of the most important security engineering topics to grasp for a CISSP. Searching through Common Criteria evaluations will give you good practical knowledge on product conformance claims. Testing of secure designs goes from mathematical formalism to validating that those principles are verified in OS designs. It is the most fun reading you can have!</P> Fri, 19 Apr 2019 17:51:43 GMT https://community.isc2.org/t5/Tech-Talk/A-brief-summary-of-my-studying-the-Orange-Book/m-p/21417#M1173 AppDefects 2019-04-19T17:51:43Z