ILT-U-3945
Software and Firmware Security Assessment. Assessment of Competence in the Security Evaluation of Software and Firmware Components of Products with Digital Elements under the Cyber Resilience Act (CRA)
DETERMINATION | METHOD |
| Hardcoded Administrative Credentials | Source Code Review, Firmware Analysis |
| Hardcoded Cryptographic Key | Source Code Review, Firmware Analysis |
| Credentials Stored in Cleartext | Configuration Review, Data Protection Assessment |
| Sensitive Information Recorded in Logs | Log Analysis, Data Protection Assessment |
| Insecure Key Management Architecture | Software Architecture Review, Source Code Review |
| Secure Boot Disabled | Bootloader Analysis, Configuration Review |
| Firmware Signature Verification Missing | Secure Boot Assessment, Source Code Review |
| Integrity Failure Does Not Stop Execution | Boot Process Analysis, Firmware Review |
| Unsigned Firmware Accepted | Firmware Integrity Assessment, Verification Logic Review |
| Firmware Downgrade Accepted | Update Mechanism Assessment, Configuration Review |
| Unsigned Update Package | Update Package Analysis, Signature Validation Review |
| Manifest Integrity Not Protected | Manifest Review, Update Security Assessment |
| Rollback Protection Absent | Update Mechanism Assessment, Version Control Review |
| Update Channel Uses Insecure Transport | Architecture Review, Update Security Assessment |
| Manifest Validation Logic Deficient | Source Code Review, Manifest Analysis |
| Update Events Not Recorded | Log Analysis, Audit Assessment |
| Log Tampering Possible | Log Repository Review, Configuration Analysis |
| Log Integrity Controls Missing | Logging Architecture Review, Audit Assessment |
| Audit Trail Incomplete | Audit Log Review, Logging Assessment |
| Administrative Actions Not Audited | Audit Assessment, Log Analysis |
| Unsafe Function Usage | Static Code Review, Vulnerability Discovery |
| Known Vulnerable Third-Party Component | SBOM Analysis, Dependency Review |
| Insecure Default Configuration | Configuration Review, Security Configuration Assessment |
| Debug Functionality Accessible | Source Code Review, Configuration Analysis |
| Input Validation Weakness | Source Code Review, Vulnerability Discovery |
| Security Architecture Design Weakness | Software Architecture Review, Trust Boundary Analysis |
Related products
ILT-U-1061
Common Criteria Security Target Evaluation (ASE) for IoT Systems. IoT Common Criteria Proficiency Testing Scheme – Baseline Level
ILT-U-3693
Proficiency Testing Scheme for Random Number Generator (RNG) Assessment. Remote Gambling Technical Standards (RTS) and applicable regulatory assessment frameworks
ILT-U-802
Mobile Application Security Proficiency Test. Aligned with the App Defense Alliance Mobile Application Security Testing Approach
