How To Assure yourself by Common Criteria
There is a great deal of gray area around Common Criteria Certifications . not because they is anything wrong with them, But the opposite - RFP's come out for answers without asking For any legitimate source of information about the capabilities Of the product they request.
What happens is as follows :
When a firm\company needs a technological product , lets just Say - a firewall. They put out the specifications they require And ask for a certain throughput , vpn abilities , content Inspection abilities and so on . The integration\product provider usually answers this RFP by Implementing best knowledge and whitepaper cut-outs .
In that way - the firm\company that requested the product May get a product that is cheap but answers for all required Technical specifications , but the product itself is poorly Implemented and written , the documentation of the product Says that it supports just about everything and that the Product is "very secure and hardened"
Common Criteria comes as a legitimate standard of checking The entire process of product development , deployment And benchmarking , therefore giving a certification to a Product in such a way - that a customer can rely assured that He is getting a product of at least a certain level of standard Checks.
The 7 different steps of the Common Criteria are known as EAL "Evaluation Assurance Level" and is marked as such :
A product that gained EAL level of 4 may get the certificate Of "EAL4 Certified".
Therefore When requesting an RFI\RFP - one should request An EAL level that is the minimum for this product . by that The company assures itself it gets a product that satisfies Its needs.
There is some great information at the common criteria portal
( "http://www.commoncriteriaportal.org" ) . for instance You can read the user guide and get familiar with the different
Levels of EAL and the ways each level is checked at :
http://www.commoncriteriaportal.org/public/files/ccusersguide.pdf
http://www.commoncriteriaportal.org/public/files/ccintroduction.pdf
as a security engineer , when a customer asks me for consultancy about a product or a solution for securing an element of his IT\IS my first question for this product will always be : "What is its CC-EAL level certification" .
Always remember , when a standard is being requested , and the Product\solution you get is certified to that standard , you Usually get what you pay for , nothing less , maybe more.
Labels: english
| Link 
either it has CC ertification or it doesn't. I know just a few organizations that can afford to buy a product and demand it gets certified for the organization.
most major security products are certified and all the rest are not.
just remember all windows versions are certified.
CC is good, but obviously it has failed in many aspects. it is not a very common criteria, it is tiresome, expensive and so on.
Posted by
Anonymous |
7:14 PM
this is actually an incorrect approach to the CC certifications .
because even most major products have been certified for CC . the EAL level of certification may vary , and each one is very diffrent in approach and in insurring you get what you actually need.
lets just say you need a TCB ( trusted computer system base ) you cannot get a system with a level under EAL 4 , firewalls are usually EAL4 certified
Posted by
barry |
8:59 AM
הגבתי לך אצלי בבלוג
Posted by
Anonymous |
8:33 PM