Main CSA pain points (from the TLCTC perspective)

1) No mandatory cause‑based threat taxonomy in schemes

Problem: Schemes define controls and evaluation activities, but do not require a standard dictionary for the initiating threat. Labels like “malware” or “ransomware” mix effect/tool with cause.

Impact: Inconsistent evaluation focus and non‑comparable claims across schemes and sectors.

Fix: Embed a one‑page TLCTC Statement of Coverage in every scheme and certificate: show which of the 10 clusters are architecturally covered, how, and with what evidence.

2) Assurance levels not tied to adversary capability per cluster

Problem: "Basic/Substantial/High" often scales documentation and testing depth, not threat capability across #1–#10.

Impact: A “high” certificate may still leave weak coverage for #5 (MitM), #6 (Flooding), or #10 (Supply Chain).

Fix: Define cluster‑minimums per assurance level (e.g., pinning + transparency logs at “high” for #5; scrubbing + back‑pressure for #6; build‑pipeline attestations for #10).

3) Conformance over adversarial evaluation

Problem: Labs largely verify presence of controls and pass/fail requirements; red‑team style evaluation of attack paths is uncommon.

Impact: Good on paper, brittle in the wild—especially for #1 (logic abuse) and #7 (execution control).

Fix: Add per‑cluster challenge sets to evaluation: logic‑abuse tests (#1), memory‑safety exploit proofs (#2/#3), token replay (#4), pinned‑TLS break attempts (#5), traffic storms (#6), signed‑code bypasses (#7), tamper extraction (#8), UX spoofing trials (#9), build‑system compromise drills (#10).

4) Logic‑abuse (#1) vs. code defects (#2/#3) blurred

Problem: Many schemes funnel everything into generic “vulnerability management.”

Impact: #1 Abuse of Functions (design/logic) gets treated like coding defects, yielding weak mitigations and KPIs.

Fix: Require separate risk sections and evidence for #1 logic abuse vs #2/#3 code defects with distinct controls (e.g., constrained workflows, business‑rule guards, and privilege scoping for #1).

5) Credentials seen as data, not trust controls (#4)

Problem: Shared secrets, recoverable tokens, and weak device pairing can pass baseline checks.

Impact: When #4 Identity Theft occurs, the system is already compromised by definition (Axiom X).

Fix: At “substantial/high,” mandate phishing‑resistant, device‑bound credentials, hardware‑backed key storage, and admin paths without recoverable secrets.

6) Update & distribution integrity: under‑specified #5 and #10

Problem: “Use signed updates over TLS” often suffices.

Impact: Real attack paths are #10 Supply Chain → #7 Malware (build/signing compromise) or #5 MitM → #7 Malware (transport subversion).

Fix: Require provenance (SBOM with source attestation), signer protection evidence, transparency logs, pinning, and device‑bound verification.

7) DoS resilience (#6) rarely first‑class

Problem: Capacity/abuse‑case testing is light or out of scope.

Impact: Certificates say “secure,” yet APIs or services fall over under modest floods.

Fix: Mandate rate‑limit, back‑pressure, graceful degradation and scrubbing evidence proportional to assurance level.

8) Malware execution model (#7) not explicit

Problem: Schemes verify patching and anti‑malware presence, not what can execute and with what rights.

Impact: Environments still happily run foreign code/LOLBAS.

Fix: Require an execution policy (allow‑listing, least privilege namespaces/jails, signed‑only modules, runtime egress controls) and verification via attestation.

9) Physical surface (#8) inconsistently covered

Problem: Tamper, debug ports, and secure erase vary widely by product class.

Impact: Physical access frequently enables #4 and #7.

Fix: At higher assurance, require sealed debug paths, measured boot, anti‑roll‑back, and secure wipe with test evidence.

10) Social engineering (#9) treated as “user problem”

Problem: UX protections against spoofing or irreversible actions are seldom evaluated.

Impact: Products enable dangerous flows if the user is persuaded.

Fix: Add protected workflows (confirmation out‑of‑band, trusted UI elements, anti‑spoof UI) to scheme requirements; test through human‑factors exercises.

11) Supply‑chain exposure (#10) scored weakly

Problem: SBOM presence ≠ supply‑chain security. Build pipelines, signing services, and distribution CDNs remain opaque.

Impact: Portfolio risk dominated by third‑party assumptions.

Fix: Introduce a #10 exposure score with attestations: isolated builds, hardened signers, dependency provenance, reproducible builds, and secured distribution.

12) Certificates don’t carry attack‑path evidence

Problem: Declarations of conformity list controls, not how products withstand common attack paths.

Impact: Buyers can’t compare resilience across vendors.

Fix: Require an Attack Path (TLCTC) section in the certificate dossier (e.g., #5 → #7 blocked by pinning + signed‑only loading + attestation). Publish a short summary.

13) Composition & dependencies (product ↔ service) create blind spots

Problem: Many targets are product‑plus‑cloud‑service systems; certification scope lines are fuzzy.

Impact: Real attack paths traverse device ↔ app ↔ cloud (#5/#6/#10).

Fix: Document and test end‑to‑end TLCTC paths across in‑scope and critical out‑of‑scope components; flow down requirements contractually.

Common attack‑path patterns relevant to certification

Use these to design challenge sets and to evidence resilience in evaluation reports.

• Malicious update payload: #10 → #7 → #4 → (#1 + #7)
• Parser bug in client/agent: #3 → #7 → #4
• Embedded server flaw: #2 → #7 → #4
• Default credentials abused: #4 → #1
• Update channel hijack: #5 → #7
• API flood on companion service: #6