A positive element of Common Criteria is it ensures that developers have taken a robust approach to designing, developing, testing and shipping the product; this is fundamental to the development of any security product.
In the UK, CESG, have started to implement a scheme called Commercial Product Assurance (CPA), but does not yet have the same market visibility of Common Criteria. CPA extends the core principles of Common Criteria, and adds another vital element: deployment criteria. This is a set of recommendations of how the product should be deployed to achieve the claimed security mitigations. We have always taken this approach at Nexor, by working with the customer to ensure they implement the product in an appropriate way.
Another core aspect of CPA is the definition of security characteristics – this provides an agreed set of security controls and mitigations the product should provide. This addresses a criticism of common criteria whereby vendors define their own controls, so it is hard to compare the merits of similar products. The changes in Common Criteria towards protection profiles mirrors this. (The article “Achieve Cyber Security by Using Common Criteria Certification” gives a good overview of the evolution of Common Criteria.)
One of the remaining challenges is dealing with the dynamic nature of new threats that appear on a day to day basis. For Common Criteria this has been an issue, as soon as a product is modified, the certification is lost – or need retesting under a certification maintainance programme. CPA attempts to address this by validating that the developers processes are sufficiently robust to make modifications to the product without affecting the core security capability.
I look forward to the evolution of the CPA and Common Criteria schemes, both schemes enable providers like Nexor to demonstrate the lengths we go to, to ensure our products meet the highest possible standards of security.
What’s your view, do you look for 3rd party assurance when you buy security products? Please leave your comments below.
Secure By Design by Andrew Kays.