Apex Assurance Group at ShmooCon
Updated January 18, 2006: Interesting comment posted
Apex Assurance Group was at ShmooCon to talk about Security Testing and Certification. The panelists were as follows:
- Al Potter - ICSA Labs
- Bruce Potter - Booz Allen Hamilton (and Shmoo Organizer)
- Ray Potter - Apex Assurance Group
Note: there is no relation between the panelists. And why get that many Potters in one room? Because we could. 
The discussion was in BoF format, and it was certainly one of the more useful, enlightening, and entertaining discussions around security testing we’ve seen recently. First of all, *everyone* in the room was familiar with the FIPS 140, Common Criteria, and ICSA programs. And judging by the insightful comments, it was clear that the audience read the standards, understood their purpose, and implemented/configured certified products.
Must of the discussion centered around Common Criteria, where the group discussed the following:
- Certified products are not necessarily secure
There is no conclusive research that certified products are more/less vulnerable than uncertified products. FIPS 140 and Common Criteria are about assurance, not about security. One BoF participant made the comment that the programs are for point products, and hooking certified products together will not make the system secure. This is a very true and valid point; Apex Assurance Group would like to remind readers that FIPS and Common Criteria are only a part of systems security design and engineering.
One suggested resolution was to have a group of independent, certified, firewalled (”ed” - not “firewall”) experts to conduct a series of vulnerability assessments and penetration testing on the product under test in paralle to the work done by the Common Criteria evaluation and testing team. This could provide a more “security” meat behind the assurance certification. Not a bad thought, actually. The devil is in the details and the execution, of course. But it’s a valid concept.
- The value of certification is over-substantiated (or just not understood)
Surprisingly, FIPS 140 and Common Criteria weren’t faulted in their delivery of security assurance. The audience widely agreed that FIPS 140 and Common Criteria do not meet the security needs of end users. The perception and marketing of these programs took the most criticism.
From our point of view, the main take-away from the discussion is that security assurance and security testing are complex topics. There are misperceptions about the purpose and value of FIPS 140 and Common Criteria, and while they are valuable, there is vast potential for improvement in how these programs can meet the security needs of end users.
Finally, hats off to Bruce Potter and the Shmoo Group for putting this conference together. The con was well organized, well attended, and very well managed.
Posted January 16th, 2006 under Apex Assurance Group, Conferences, Security Certification.
Comments: 1
Comments:
Comment from Jim Knoke
Time: January 18, 2006, 2:49 pm
I’m not too familiar with the FIPS and ICSA programs, but I’d like to make a few comments about the CC program (my company’s XTS-400 OS finished an EAL5+ last year):
Comments on the CC program:
- I think most people would agree that a certified product is more secure than an uncertified product, *everything else being equal*. But in the real world one vendor may be more conscientious than another, or one product may be more mature than another, etc. One interesting distinction is between a certified proprietary product and an open-source uncertified product — is the targetted analysis and testing done by security experts going to result in a more secure product than ad hoc analysis and testing by some number of developers with varying degrees a security expertise?
- CC evaluations (at least at high assurance levels where the XTS-400 is) do involve general penetration testing. However the testing is targeted at claimed security features, so the customer(s) might be interested in more broad testing. Also, if the certified *product* is only part of the customers’ *system*, the CC testing may not adequately address security features of the *system*.
- Customers generally have functional and performance requirements, in addition to security requirements. A certification is not a claim that all of those other requirements are met. A CC certification does not reduce the customers burden of checking that the product meets all the other requirements. This includes security *functionality*, UNLESS the product conforms to a protection profile that encapsulates part of the functionality needed.
Write a comment