Asset Flow Analysis (F11b)
Successful attacks require adversaries to read or modify protected data i.e. assets. A key task for vulnerability analysis is to determine where and when an asset is available in a device or system. Asset flow analysis provides a structured method to determine the actual attack surface and protection requirements of subsystems based on this approach. It is therefore a valuable tool for architects, developers, and evaluators. Since Version 6 a tailored variant of asset flow analysis is part of the international criteria for payment cards (PCI). The author proposes a more general formulation in the framework of EUCC as an extended assurance class ADV_ARC.2.