'Quo Vadis, Common Criteria?' - Helmut Kurth
Assessments and certifications of technical products are common in many (if not most) areas where a failure of a component may cause severe harm. Only a few people question the necessity of such assessments. atsec has performed security evaluations of commercial IT products for many years, but the results of those assessments are still not considered by many to be worth the effort spent. So, what went wrong here?
The topic of this essay is an analysis of why we are in this situation and what can be done to improve it. In order to learn for the future we will analyze the past to identify where mistakes have been made and why we have not corrected those.
In order to do this we will analyze the objectives and the target audience of the different evaluation criteria that finally led to the Common Criteria and we will identify that while we tried to harmonize the criteria and the evaluation process we never harmonized the objectives and target audience of such a process. Instead the development of “new versions” of the evaluation criteria focused more on formalities (because they could be agreed upon easily) rather than real technical improvements. The result is a set of criteria and an evaluation methodology which only partly reflects the objectives of the different stakeholders. With the attempt to please everybody we have reached a situation where actually nobody is really satisfied.
How can this be corrected? The first step is to acknowledge what went wrong. The second step is to acknowledge that not everything went wrong. The third step is to acknowledge that the different objectives that we started with have their merits. None of them is “wrong”; they just can not be satisfied all at the same time.
So, what can be done? We will propose several alternatives that may help to resolve the problem and have useful security evaluations in the future. All of them have their pros and cons which we will point out.
As Niels Bohr once said: "Prediction is very difficult, especially about the future!". In our case the future of security evaluations of IT products is in our hand – which, as the past has shown, doesn’t make predicting the future easier. Anyhow, we will try it. We will show alternatives that can be taken to make it both relevant and useful for more stakeholders than those today trying use evaluations and evaluation results, and also to improve the criteria and the evaluation process. The suggestions are more in line with “traditional” assessment methods for technological products, taking the specifics of Information Technology and especially software into account.
'DO-178B and Common Criteria Evaluation' - Sergey Tverdyshev
In this talk we present an approach for reusing re-using DO-178B certification artefacts for Common Criteria evaluation. Our experience has been collected by applying the approach on a certified hypervisor. We show what can be reused and what have to be developed from scratch. We also consider one specific functionality, the security audit, of a hypervisor for security-critical applications. We show the difference to the safety audit and consider the security audit in the context of Common Criteria.
'The Multifaceted Nature of Security Assurance' - Sal La Pietra
Most security assurance methods, including Common Criteria, are rooted in the days of a nascent Internet society and of the Cold War. As the global IT security industry grapples with the turmoil of change; with changing global economies, alliances and the explosion in connectivity and IT technology advances, it is clear to all of us that something has to change. One thing we are sure about is that security assurance is not simple. In this keynote we examine some of the fundamentals of IT security assurance including the motivations of each of the stakeholders in the IT security assurance industry. We remind ourselves that the provision of IT security assurance is not always entirely technical in nature. With an understanding of the fundamental nature of IT security assurance, and the goals of each stakeholder that is involved we can be better prepared for the evolution in IT security assurance that is already upon us.