GPG-403
Common Criteria Common Criteria
–– Better, Faster Better, Faster
d Ch ?d Ch ?and Cheaper?and Cheaper?
Audrey Dale & David Martin
Common Criteria Development Board
04/24/09 | Session ID: GPG-40304/24/09 | Session ID: GPG 403
Session Classification: UN...
Common Criteria Common Criteria
–– Better, Faster Better, Faster
d Ch ?d Ch ?and Cheaper?and Cheaper?
Audrey Dale & David Martin
Common Criteria Development Board
04/24/09 | Session ID: GPG-40304/24/09 | Session ID: GPG 403
Session Classification: UNCLASSIFIED
Get ready for a high speed tour…Get ready for a high speed tour…
...toward Common Criteria Version 4.0...toward Common Criteria Version 4.0
Warnings, caveats and more…Warnings, caveats and more…
AgendaAgenda
What is it?
Where are we today?
Where are we going?
How are we going to get there?
What do we want to end up with?
4
What is it?
What is it?
Question #1Question #1
Which of the following are true about the
Common Criteria?Common Criteria?
a. It is an international standard used for evaluating IT
productsproducts
b. The Common Criteria Recognition Arrangement
(CCRA) was signed in 1776
c. 10 products have been evaluated and
certified to date
d. Evaluations are mutually recognized up through
EAL 4 by CCRA member nations
6
Question #1Question #1-- AnswerAnswer
Which of the following are true about the
Common Criteria?
a. It is an international standard used for evaluating IT
products
b. The Common Criteria Recognition Arrangement
(CCRA) was signed in 1776 - 1998
c. 10 products have been evaluated and
certified to date – over 1,000
d Evaluations are mutually recognized up throughd. Evaluations are mutually recognized up through
EAL 4 by CCRA member nations
7
Question #2Question #2
Which of the following is NOT a key component
of the CC Recognition Arrangement?
a. CC Evaluation Laboratories
b. Security Targetsy g
c. Protection Profiles
d. The Orange Bookd e O a ge oo
e. Certification Bodies
f Supporting Documentsf. Supporting Documents
8
Question #2 Question #2 -- AnswerAnswer
Which of the following is NOT a key component
of the CC Recognition Arrangement?
a. CC Evaluation Laboratories
b. Security Targetsy g
c. Protection Profiles
d. The Orange Bookd e O a ge oo
e. Certification Bodies
f Supporting Documentsf. Supporting Documents
9
Bonus QuestionBonus Question
Which country is NOT a member of the
CCRA?
a.
b.
c.
e.
d.
g
f.
e.
10
g.
Bonus Question Bonus Question -- AnswerAnswer
Which country is NOT a member of the
CCRA?
a.
b.
c.
e.
d.
g
f.
e.
11
g.
Where are we
today?today?
The CC TodayThe CC Today
CC Version 3.1
Over 1000 products evaluated
26 countries & more knocking on the
door
Introduction
Part 1
door
Many lessons learned over the past 10
years
Functional
Requirement
Part 2
y
Some countries researching alternative
evaluation methodologies
Part 2
The CC can accommodate the lessons
learned and needs of the community
Assurance
Requirement
Part 3
13
Where are we
going?going?
Inputs for CC V 4.0Inputs for CC V 4.0
UK and US research & trials
CC Development Board interactions with users
and vendors
CC Development Board has also been
considering general assurance developments
C bi i bj ti it / t bilit ith t Combining objectivity/repeatability with expert
knowledge
15
Lessons Learned Lessons Learned
Technical experts critical
Use “real” development artifacts
Consider vendor’s development and updateConsider vendor s development and update
process
Create more meaningful reports Create more meaningful reports
Must have evaluator support tools
Need analysis tools
Smartcard community got it right
What have IT vendors said they want?What have IT vendors said they want?
z “Credit for their assurance efforts
A ffi i tz An efficient process
z A process that helps them improve
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture. p p p
z Results valued by customers
z Results that are widely applicable
and widely recognized
What have users told us they want?What have users told us they want?
The most
current evaluated
Meaningful
outputs
The ability to
products
The ability to
compare products
How are we going
to get there?to get there?
CC V 4.0 Working GroupsCC V 4.0 Working Groups
• Evidence Based Approach
• Evaluator Skills and Interaction
• Predictive Assurance• Predictive Assurance
• Meaningful Reports
• Tools
• Implementation AssuranceImplementation Assurance
Evidence Based Approach Evidence Based Approach
Consider alternative techniques
d th dand methods
Consider all vendor evidence
C id d f l Consider vendor use of tools
Predictive AssurancePredictive Assurance
Consider vendor
development processdevelopment process
Increased understanding of
the product roadmap
Consider vendor flaw
remediation process
Goal = longer certificate
validity
Meaningful ReportsMeaningful Reports
Improve all evaluation outputs
Provide more information on
residual risks,
strengths/weaknessesstrengths/weaknesses
Provide configuration
guidance for effective use ofguidance for effective use of
security mechanisms
Provide customers with the
information required for their
assurance decisions
Evaluator Skills and Interaction Evaluator Skills and Interaction
Underpins the other work
ititems
Considering how to provide
increased commonality in y
evaluator
Training
A t Assessment
Interaction (within and
between schemes)
ToolsTools
Original aim - to define tools
th t ill t ll f ththat will support all of the
working methods described in
the other work areas
Redirected to define workflows
(allowing development of tools)
Encourage use of tools by
vendors
Implementation AssuranceImplementation Assurance
• New approach aimed at large software
products
• Examining aspects of implementation
that can be measured objectively and
reportedreported
• Examples are defensive compiler
features
• Based on extensive use of Protection
Profiles
• To be developed in conjunction with
vendors
• Complementary to the other workgroups
General CC V 4.0 Development ProcessGeneral CC V 4.0 Development Process
z Minimize resource loading on schemes with g
much of work pursued electronically
Wikis used during the start up meetings & willz Wikis used during the start up meetings & will
be used for further development
z Similar approach likely for external interaction
z Each workgroup will set up appropriate timingz Each workgroup will set up appropriate timing
and collaboration methods
Sample WikiSample Wiki
What do we wantWhat do we want
to end up with?
End GoalEnd Goal
The Common Criteria The Common Criteria ––
butbut
Better, Better,
FasterFasterFaster Faster
and Cheaper!!!and Cheaper!!!and Cheaper!!!and Cheaper!!!
Specific AimsSpecific Aims
Evaluations performed by the optimum combination of
subject matter experts and assurance experts
Supporting national and international interactions with
other evaluators (with suitable protection for
developer's IP)
Common assessment levels for evaluator skills
Evaluators examine evidence produced as a normal
part of the product developmentpart of the product development
Evaluators examine vendor development process
i l di th i f t lincluding their use of tools
Specific AimsSpecific Aims
Supporting the provision of 'predictive assurance'
R t ill l d t b t it d t Reports will use language and concepts best suited to
user’s needs
Clear focus on the flaw remediation process and the
strategic development plans for the product
Greater focus upon implementation aspects
Better broad comparability in assurance levels between Better broad comparability in assurance levels between
technologies
ApplyApply
Vendors – volunteer for a CC V4.0 trial
evaluationevaluation
Vendors – tell us what new technologies you’re
buildingbuilding
Customers – tell us what new technologies you
need and are planning to useneed and are planning to use
Customers – tell us what information would be
helpful in our reportshelpful in our reports
All – help us with the development of the new
version via your national scheme
33
y
End of the high speed tour…End of the high speed tour…
Questions
???
本文档为【GPG-403】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。