This week’s question comes from Rob, who works for a security vendor. It’s one that comes up a lot on both the vendor and the end user sides.

I recall that sometime before Xmas you said that only certifications greater than EAL 5 were worth anything, and that you would write about that later. … Can a mickey mouse protection profile, or the TOE chosen effect the end value of the cert, in your opinion ?

I’ll be honest, I’m not the biggest fan of Common Criteria. For those of you who don’t pay attention to these sorts of things, Common Criteria is an international standard to certify security products (or security features). Wikipedia has a reasonable entry for more details. More specifically, it is a standard for specifying and evaluating the security assurance of computer products and systems. It is a core part of the certification and accreditation process used by government agencies.

I don’t want to get into the nitty gritty details of Common Criteria, but basically you certify products at one of 7 different Evaluation Assurance Levels (EAL 1-7), with 1 being “functionally tested”, and 7 being “formally verified design and tested”. To avoid any more acronyms, you basically document your security functions (usually against a common protection profile), and then certify to the degree your product meets those requirements.

And there’s the rub.

First, the system doesn’t evaluate the security of a product- it is a certification as to security features matching their documentation, at least at EAL 1-4. At those levels it’s pretty much, “here’s a list of features, and assurance, from an outside lab that charged us WAY too much money, that our features meet those requirements.” When you see EAL 4+ it usually means some more advanced criteria were pulled in as part of the evaluation. Many MANY EAL 4+ products are just as full of holes and bugs as anything else. The functions documented work as advertised, but that’s about it.

That’s what Rob was asking about the protection profile and the TOE (Target of Evaluation; what part of the product is tested). With a weak protection profile and limited TOE you can still achieve high assurance, since the scope of the evaluation is limited. It’s the same beef I have with those worthless SAS70 evaluations.

At EAL 5-7 life is more interesting, at least here in the US. The NSA gets involved at that point and you come closer to certifying the entire security of the product and the development process. Very cool, and very time consuming and expensive. Very few products certify at 5+ because of the cost.

There are other problems with CC, including keeping a product certified as it changes over time.

My advice? As an end user, unless you’re in government where this is mandated, ignore Common Criteria. Instead, ask your vendor for documentation of their security development process and what tools they use to test the code, or any independent lab evaluations as to the security of the product (vulnerability analysis and testing). CC is essentially meaningless to you if it’s under 5.

As a vendor, if you want to sell to the government you’ll have to pony up for an evaluation. Keep it as low as you can to reduce costs, but if you want to play with classified agencies you’re looking at a minimum of 4+, and probably higher.

I expect comments on this one will be either non-existent, or very interesting…


p style=”text-align:right;font-size:10px;”>Technorati Tags: