This week’s question comes from Rob, who works for a security vendor. It’s one that comes up a lot on both the vendor and the end user sides.
I recall that sometime before Xmas you said that only certifications greater than EAL 5 were worth anything, and that you would write about that later. … Can a mickey mouse protection profile, or the TOE chosen effect the end value of the cert, in your opinion ?
I’ll be honest, I’m not the biggest fan of Common Criteria. For those of you who don’t pay attention to these sorts of things, Common Criteria is an international standard to certify security products (or security features). Wikipedia has a reasonable entry for more details. More specifically, it is a standard for specifying and evaluating the security assurance of computer products and systems. It is a core part of the certification and accreditation process used by government agencies.
I don’t want to get into the nitty gritty details of Common Criteria, but basically you certify products at one of 7 different Evaluation Assurance Levels (EAL 1-7), with 1 being “functionally tested”, and 7 being “formally verified design and tested”. To avoid any more acronyms, you basically document your security functions (usually against a common protection profile), and then certify to the degree your product meets those requirements.
And there’s the rub.
First, the system doesn’t evaluate the security of a product- it is a certification as to security features matching their documentation, at least at EAL 1-4. At those levels it’s pretty much, “here’s a list of features, and assurance, from an outside lab that charged us WAY too much money, that our features meet those requirements.” When you see EAL 4+ it usually means some more advanced criteria were pulled in as part of the evaluation. Many MANY EAL 4+ products are just as full of holes and bugs as anything else. The functions documented work as advertised, but that’s about it.
That’s what Rob was asking about the protection profile and the TOE (Target of Evaluation; what part of the product is tested). With a weak protection profile and limited TOE you can still achieve high assurance, since the scope of the evaluation is limited. It’s the same beef I have with those worthless SAS70 evaluations.
At EAL 5-7 life is more interesting, at least here in the US. The NSA gets involved at that point and you come closer to certifying the entire security of the product and the development process. Very cool, and very time consuming and expensive. Very few products certify at 5+ because of the cost.
There are other problems with CC, including keeping a product certified as it changes over time.
My advice? As an end user, unless you’re in government where this is mandated, ignore Common Criteria. Instead, ask your vendor for documentation of their security development process and what tools they use to test the code, or any independent lab evaluations as to the security of the product (vulnerability analysis and testing). CC is essentially meaningless to you if it’s under 5.
As a vendor, if you want to sell to the government you’ll have to pony up for an evaluation. Keep it as low as you can to reduce costs, but if you want to play with classified agencies you’re looking at a minimum of 4+, and probably higher.
I expect comments on this one will be either non-existent, or very interesting…
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Common Criteria
Reader interactions
4 Replies to “Ask Securosis: Is Common Criteria Certification Worth Anything?”
Right, Anton is definitely correct. When I was working at LM EAL5 was the golden standard and kept a lot of vendors outside the locked gates of huge federal contracts… It’s just risk management for the government. I think partly being that if a vendor has the time and money to sink into certification at th 5+ level they’‘re probably in it for the long haul.
One thing that I thought was odd was that at LM, for the most part, only the OS of the system was subject to the rating. But if I brought and embedded device into the picture (enter a PTI protocol server, Cisco router, etc…) it didn’‘t need to meet any level what-so-ever. This wasn’‘t quite always the case but seemed to be the norm.
> Is Common Criteria Certification Worth Anything?
+
>It’s simply a checkbox in order to sell within the federal
>space.
=
it is worth a lot.
>>I expect comments on this one will be either non-existent, or very interesting…
Reminds me of an episode of “I Love Lucy” where an etiquette coach is in, and begins by asserting that there are two words that should never be used, the first is swell and the second is crummy. Fred Mertz says something along the lines of “tell us the crummy one first”
Sorry… but it is Monday. at least _I_ got a laugh out of it.
Having gone through the CC process and recertification as a vendor your assessment is spot on. It’s simply a checkbox in order to sell within the federal space.