User: Password:
Subscribe / Log in / New account

The value of CC EAL[1234567] certification

The value of CC EAL[1234567] certification

Posted Sep 30, 2004 13:38 UTC (Thu) by scripter (subscriber, #2654)
Parent article: Mandrake shoots for EAL5

The typical scenario with CC certification is that to sell to a government, they want your app or your OS to be CC certified. So you say "We'll get version 2 certified". You sign a contract for the gov to buy version 2 of your product. While you're working on CC certification, the gov starts using the app, even though it's not certified yet because certification takes a long time.

During the certification process, you realize that there are several (perhaps 300) EAL targets that your app, OS or dev process should meet at EAL5 to be considered secure. But you can only meet two targets. So, you produce the documentation to show that you can satisfy those two EAL5 targets, and now your app or OS is EAL5 certified! Maybe another competitive app is certified at EAL5 for fifty EAL targets -- but few people care really, because now that you've completed a lot of red tape, you can sell your app to even more governments and banks, etc.

By the time you've completed EAL5 certification with a lot of hand waving, perhaps you've produced versions 3, 4, 5, and 6 of your application. The government can still use the latest version of the app, even though it wasn't the one that was certified -- as long as some previous version was certified.

So, CC certification is a lot of hand waving. It might give some semblance of assurance, but it's almost meaningless to compare two competing apps that are EAL5 certified without looking at how many targets each actually met. The real reason for CC certification is so that you can sell your app to governments in several countries.

(Log in to post comments)

The value of CC EAL[1234567] certification

Posted Sep 30, 2004 19:01 UTC (Thu) by Max.Hyre (guest, #1054) [Link]

There's a great article on the subject by the security researcher Jonathan S. Shapiro (Johns Hopkins University Information Security Institute). My favorite comment therein is:

As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.

An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds