Monday, November 15, 2021

Is working for atsec an option for me?

by Michael Vogel

I’ve been with atsec for more than two years, and I am happy to be on board. But when I joined, I had some concerns. Coming from companies with thousands of employees and revenues in the billions, joining a company with less than one hundred employees worldwide and a few digits less in revenue felt like a step back in my career — although it was clear from the very beginning that I should take the role of one of the managing directors one day.

Joining would have been easier for me if I would have had a counterpart inside the company with the experience I have today who could have answered the burning questions I had before I started.

For people who are hesitant to join atsec today, I will try to sort things out in a fictional interview between a virtual applicant, “Alice,” and myself.

Alice: I would want to work as an evaluator in IT Security, but I am hesitant to join atsec because I think the company is too small.
Michael: I agree that in terms of head count, we are small, but we provide a big platform. You can work on Common Criteria (CC) evaluation or Federal Information Processing Standard (FIPS) testing. You can work with colleagues from six offices around the globe: Munich, Germany; Austin, US; Stockholm, Sweden; Rome, Italy; Beijing and Shanghai, China. All our locations have a sufficient number of employees to get the job done. For locations with about 10–20 evaluators, the size of the team is big enough to successfully conclude bigger projects in a reasonable timeframe on the one hand, and the team is small enough to keep the overhead low on the other hand. If you are growing beyond, let's say, 25 or 30 people, you will have to define teams or departments anyway to manage them efficiently. You’ll still end up working with a team of 10–20 people, even within a large organization.

Alice: But bigger companies have bigger revenues.
Michael: But they also have higher costs, overhead and many more people to share the revenues. atsec takes on highly intellectually challenging evaluations. People are our assets. The most significant chunk of our costs is the salaries and bonuses for our staff. And as long as our colleagues generate sufficient revenues that we can pay salaries and overhead costs, it doesn't make a difference whether we have 100 people, 1,000, 10,000 or 100,000. So, what is important is the revenue per person instead of the total revenues.

Alice: But bigger companies have bigger savings. That makes me feel more secure that the company will survive bad times.
Michael: You have to ask yourself — “why does a company need savings?” You may answer that companies need to be prepared to bridge "bad times" when revenues are temporarily lower than the costs. With the current high number of concurrent profitable projects that we have at each subsidiary, talking about "bad times" feels a little strange. But atsec is also prepared for bad times. We have sufficient savings to bridge longer unpleasant periods even if we haven't experienced any in our many years in operation. The main issue in our discussion, though, is the way you are looking at this topic.

Alice: What's that supposed to mean?
Michael: If you are part of a bigger company or large conglomerate of testing facilities that span industries such as the car, oil and gas, construction, chemical, and so on, the IT security evaluation laboratory work is not the company's core business. And the likelihood is high that this domain does not produce the highest profits compared to other domains the company is engaged in. What do you think will happen when these bigger companies face “bad times,” as you called it?

Alice: At a certain point, the big company will try to secure its core business with the most profitable domains.
Michael: And they will sacrifice everything else. See — you just lost your (virtual) job. And that's not a theoretical scenario. There have been some sad real-life examples in the past years… atsec's business is not “just a bunch of different domains” competing against each other, it's a coherent business in a well-defined domain.

So, our business model is not only tailored to the domain of security evaluation. Every manager at atsec is also experienced in this business, so that the risk of failure is pretty low. And each of them knows your face and your name, if that means anything to you. atsec does not need the decision of the board to pay bonuses, increase a salary, or assign a new role. We are a flat organization, defined by one level and half a hierarchy. Decisions are made quickly without waiting for any board to meet. We don’t have one. Last and not least, if any "bad time" does come, since we are independent, the management will be the first to sacrifice their pay and bonus to make sure our colleagues are being taken care of first. When we have savings, we heavily invested in our people so that we all know business well enough to avoid bad times.

Alice: What about Training? What does your company offer?
Michael: Education is constant at atsec, with both internal and external courses. We have a specific internal education program for the standards we are using to perform IT Security evaluations. Our internal training is thorough. At the same time, we give time to our new colleagues to digest the subject, since we want them to be prepared before facing customers. Mastering a standard is like learning a new language; it takes some time before being proficiently fluent.

Alice: What about participating in conferences and seminars?
Michael: Every year, we participate in at least two conferences: the International Common Criteria Conference (ICCC) and the International Cryptographic Module Conference (ICMC). We ask our colleagues to submit papers to these conferences. The company is a big sponsor of standards communities. We are present where more prominent companies are not. Above all, atsec is the sole founding partner of the International Cryptographic Module Conference (ICMC). We initiated it in 2013, and next year we will celebrate its 10th anniversary. We host and manage the Cryptographic Module User Forum (CMUF) and have colleagues in the ISO community and on Common Criteria User Forum (CCUF) board. We have a colleague participating in the ad-hoc working group defining the certification scheme of the European Cyber Security Act. In addition to Common Criteria and FIPS 140-3 other colleagues in different locations are also involved with: iTC, OTTP-S, FIPS 201 PIV, SCAP, GSA, PCI, GSMA, 5G, NESAS. A few colleagues with additional interest will go to specialized conferences and seminars.

When looking at our contribution, we are way "bigger" than many big companies. From what you can see, security testing and evaluation is a large domain, requiring dedication and commitment from both the company, colleagues, and new employees. Training, conferences, and seminars are part of the continuous learning process. That’s why I said at the beginning that we provide a big platform, where our people can grow into industry experts and become well respected through their contributions to the standardization bodies and leading roles in the security community.

Alice: Wait a minute. If all you described is true, why has no one ever tried to buy you? Shouldn't there be bigger companies eager to acquire you?
Michael: Who said nobody has tried to buy atsec? Do you have any idea how many companies tried to do that precisely? But the founders decided to remain and keep atsec independent. There have been many options where they could have cashed in, taken the money, and walked away. But they didn't. They decided to remain independent and pass the company to the new generation.

They wanted to preserve the culture imprinted in atsec’s four principles and remain an enabling platform for everyone who likes this kind of work, as was in the founders' original idea. In their younger lives, they experienced difficulties in doing this kind of job for a big company. At the same time, many laboratories were acquired by those big companies and conglomerates, and shortly after, either they shut down, or the people left, overwhelmed by the corporate culture. That's something that makes me feel more secure about my job. By the way, why does this independence matter?

We are doing, for example, approval projects for the government. Do you have any idea how keen governments are to work with labs that need source code for products used in government networks but with foreign investors who could force them to share exactly this information?

Alice: You bring an interesting point. What about your turnover?
Michael: We have a lot of colleagues in the company staying for over ten or more years. The founders are still involved, though some are reaching retirement age. We realized that those who do not like this job leave in the first year. Those who like it tend to stay. We’ve had only a few people leaving the lab to go to the vendor to do the same job on the vendor's side. Generally, these former colleagues are returning as customers, because they know we are good and can deliver. We had a few situations where colleagues left and then later asked to come back since they realized atsec is better.

Alice: Uha…. and you took them back?
Michael: Yes, we did! We always try in all situations to have a good environment for our colleagues whether they stay or decide to try a different career path. The employment is at will. We understand that the mind, heart and body must be in one place to achieve top performance. Colleagues who left and returned to us are treasures because they came back with their full heart.

Alice: But if you have that much insight into detailed information about relevant security products, wouldn't that be a good basis for developing your own products? I think that could be quite profitable.
Michael: If you are collaborating with customers on a level as we do as evaluators, you have to keep up your customers' faith and confidence in you every day. And that only works if these words mean something to you. Customers are only returning to you if you manage to succeed in precisely that. If you lose their trust, they are gone for good.
That's the reason why atsec has never developed or sold any products — from what I can see — it never will. In general, atsec doesn’t compete with its customers in any way or form. We are not imposing on our customers to buy or develop a tool to complete an evaluation. I am proud to be part of a company with a clear vision.

Alice:
I see. It looks like you know what you are doing...
Michael: That's why atsec has been in the business for more than 20 years. And the future looks promising. It will help if you keep in mind that our world is getting more digital every day. And this implies that values are shifted to the digital world more and more. So, people want them to also be secured in the digital world. Therefore, the job of evaluators in IT security evaluation facilities is sort of “booming” at the moment. At the same time, the job requires highly trained experts in IT security, which are hard to find. But it is not only the technical expertise that matters. Integrity and reliability are essential for every single employee in that domain. atsec’s philosophy and culture is to grow our own experts organically through our rigorous and systematic training program in a nurturing environment. All we are asking is that you have passion for IT security and you are eager to learn. Do you have what it takes?

And how about YOU? Do you have what it takes? Then send your application to one of our offices - we are looking forward to hearing from you.

Friday, October 22, 2021

atsec at the (virtual) International Common Criteria Conference (ICCC) 2021

by Michael Vogel 

atsec participated in ICCC 2021 from October 19th to 20th, which was held as a fully virtualized conference the second year in a row due to the worldwide pandemic. While we appreciate to have the opportunity to exchange new information as well as give and receive presentations in our domain, we cannot deny that we are missing the direct contact to all the other stakeholders at the ICCC. We are hoping that we can meet face-to-face again next year. 

In addition to attending the ICCC 2021, a number of atsec consultants joined the virtual CCUF Workshop held a week prior to ICCC, including a joint session between the CCDB and the CCUF. 

On the first day of the conference our colleague Michael Vogel was moderating one of the sessions about Updates from Schemes and iTCs. On the second day of the conference our colleagues Rasma Araby and Michael Vogel gave a presentation about the use of NESAS vs. NDcPP for the approval of network components which was well received by the audience and triggered several questions. 

As a Gold Sponsor for the ICCC 2021, atsec hosted one of the ICCC Sponsor Showcases. In case you missed it or didn't manage to sign up for the ICCC this year, we invite you to take a look at the presentation:

ICCC 2021 Presentation from atsec information security on Vimeo.

Wednesday, September 15, 2021

Reasonable or just possible?


by Michael Vogel


A few days ago, I returned from my first business trip in months. I didn’t travel because I had to, but because I decided that it would be better to be on-site instead of handling the project remotely. And we are handling a lot of projects remotely at the moment. But for this project it was a customer we had never audited before, a site that has not been successfully formally audited so far and the requirements to be applied were rather high.

While I was on my way back from the site, I realized that something was new here. While remote testing had been an option in the past, the choice between on-site and remote auditing for a site visit was not common in the past. At least not in my world. I think my choice this time to go on-site was the right one, although the site was half empty. Many developers were still working from home. If I think back 10 years, wasn't secure software development and working from home perceived as 'unthinkable'? Will this status remain or will it revert back to what it was? And is it on us to decide?   

Our (business) world has changed a lot due to the pandemic and we find ourselves more and more in the position of asking ‘what is reasonable’ instead of ‘what is possible’. For years we were flying across the world for some technical meetings while the technology was readily available to sort things out from the desk right in front of us. Today, remote testing and remote auditing work better than ever before. And to be honest, it wasn’t too hard to get from ‘we always have to perform task xyz at our customers’ site to the point where we are today.

For years, presence in the office was a must and the option to work from home was often the exception to the rule. Today, we know that our employees can work efficiently and effectively from home as well – and not only short term. There might be requirements, rules or regulations that force us to work in the office. But where we have the freedom of choice, we should make good use of it.

There are downsides to this new freedom of choice as well, of course. We need to show more discipline regarding communication as the talks at the coffee maker that augment communication take place less frequently than before. Working remotely usually also means being well organized and prepared, and you might need to invest some of the time you are saving by working from home into that. We see employees getting socially a little too distant and, in some cases, even lonely when they constantly work from home. In some families, tensions are on the rise when all family members are working from home all the time. Not all meetings and all audits can be held remotely. And I would really want to get back to on-site conferences today rather than tomorrow.  So, all in all, home office and remote working is not the cure to everything, but it’s much more a viable option than it has been considered for many years in the past.

The real challenge, though, is to fit a subjective ‘reasonable’ measure into formal company-wide regulations based on measurable criteria as 'reasonable' is difficult to quantify. Working for a rather small company like atsec, where we can rely more on guidelines and case-by-case decisions, is therefore quite a privilege these days. Everyone in the company knows about our business and we are the ones deciding about our own rules (as long as they are not determined by customer or accreditation requirements). We are constantly challenging ourselves to decide if we are still doing the right thing and why we are doing what we are doing - and not simply carrying out activities to satisfy a process description or a company regulation. In other words, our aim is that we are performing tasks because they are adding value to our customers and not because they can be done and can be billed. This is what determines our decision making every day. And whether we will be in the office tomorrow, on a business trip or working from home will be dependent on what is the best choice for our business and our customers. But we need to ensure that we are not gradually going back to where we came from. Because I want to be sure also that the next time I am on a business trip, I am on the road because it is reasonable and not only because it is possible.

Wednesday, September 1, 2021

Life of Module

Please enjoy this year's animation from Yi Mao's opening presentation at the 2021 International Cryptographic Module Conference (ICMC).

We also invite you to watch a recording of Yi Mao's welcome address for the ICMC:

Thursday, August 26, 2021

Sample Size in NIST SP800-90B

We invite you to watch this presentation by Richard Fant on Sample Size in SP800-90B.

Thursday, August 19, 2021

Introduction to the CMVP and CAVP

We invite you to watch this high-level overview about the CMVP and CAVP.

Tuesday, August 10, 2021

Do Remote Site Visits Work?

by Rasma Araby

While the home office has become a normality for many IT companies and operations during the pandemic, the requirements for security evaluation, certifications, accreditations, and other approvals have remained constant.

Site visits at the development sites are required to achieve the approval of certification and accreditation. How could this be accomplished when developers, auditors, and certifiers were located in different countries and were working from home?

In addition, there were multiple travel restrictions with varying rules in each country.

How did we do site visits for EAL3+ Common Criteria evaluations and NESAS audits?
How was atsec re-accredited from the national agency, and how did we maintain the level of certification for ISO 9000, ISO 27001, and other accreditation our lab must carry to provide evaluation services when an auditor from these agencies had to be on-site while our atsec colleagues worked from home?
 
We performed and received these site visits remotely!
 
Special "remote site-visit" rules were provided both by the SOG-IS for CC evaluations and GSMA for NESAS audits to allow remote site visits temporarily.

During the first remote site visits, the developers, auditors, and certifiers were skeptical. The main concern regarded the effectiveness of such an examination method in determining:

  • how to examine the development processes
  • how to demonstrate the ways records are kept
  • how to conduct effective interviews  
  • how to perform physical security examinations via video call

Going back to our first experience with a remote site visit, it went well, actually almost too well. The developers were able to show development processes and appropriate artifacts remotely. The developers were also better prepared and less nervous.
 
The auditors and certifiers were rested since they could avoid traveling. They were also better prepared since they had access to readily accessible digitally provided documentation on their computers rather than printed documentation. All documentation was examined during the video interview with the developer seamlessly, without any interruptions to the conversation.

Shortly after the first virtual site visit, some Certification Bodies issued updated procedures to state that the site visit oversight should be performed remotely using Information and Communication Technology (ICT), suitable for the purpose of the site visit oversight. They found that the remote site-visit procedures work very well and should be used, among other things, to avoid extensive traveling.

I would not dare to say that a remote site visit can replace an actual site visit. Still, it is possible to examine the majority of the security measures and development processes remotely. It depends on the goals of the site visit and the preparation by the developer, auditor, and certifier. The pandemic has taught us that a full or partial remote site visit should be considered to save time spent on traveling, save costs on travel and accommodation, and enable more sites to be audited cost-effectively.

We had witnessed working both ways: when we did site visits and when we received site visits. We understand that some technical areas, such as hardware evaluations, require on-site visits based on the nature of the analysis.
 
There is a lot of discussion about returning to the office after the pandemic. Most IT companies are considering hybrid solutions, some days in the office and some from home. 

The procedures requiring on-site visits should consider the same approach of a hybrid solution: partly remote and partly on-site. It would help to shorten the on-site audit since the remote portion would help identify the part that requires the auditor's presence on-site. This, in turn, allows the on-site portion to be more focused. It won't reduce the cost and time for traveling but might lessen the permanence of the auditor on-site since the developer will also be prepared for what the auditor is requiring.

Friday, July 23, 2021

atsec China adds PCI CPSA (Logical and Physical) Assessor Qualifications

Beijing, July 23 2021


atsec China has been qualified by PCI SSC (Payment Card Industry Security Standards Council) as a Card Production Security Assessor (CPSA) Company to validate an entity's adherence to the PCI Card Production and Provisioning Logical Security and  Physical Security Requirements (two separate security standards). Currently atsec provides the PCI Card Production Logical Security and Physical Security Standards assessment services in the CEMEA, Canada, Europe, LAC, USA and Asia Pacific markets.

The development, manufacture, transport, and personalization of payment cards and their components have a strong impact on the security structures of the payment systems, issuers, and vendors involved in their issuance. Data security is the primary focus of the standards.

The PCI Card Production and Provisioning Logical Security Requirements (“PCI Card Production Logical Security Standard”) addresses the logical security controls associated with card production and provisioning such as:

  •  EMV data preparation
  •  Pre-personalization
  •  Card embossing
  •  IC and magnetic-stripe personalization
  •  PIN generation
  •  PIN mailers
  •  Card carriers
  •  Distribution 

PCI Card Production and Provisioning Physical Security Requirements (“PCI Card Production Physical Security Standard”) define a comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes:

  • Card Manufacturing
  • Chip embedding
  • Personalization
  • Storage
  • Packaging
  • Mailing
  • Shipping or delivery
  • Fulfillment

In addition to the card production activities above, the two standards describe the logical and physical security requirements for entities that:

  • Perform cloud-based or secure element (SE) provisioning services;
  • Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data;
  • Manage associated cryptographic keys.

atsec’s CPSA assessors can work with you to confirm the assessment scope, perform the assessment on-site, complete PCI Card Production ROC (Report on Compliance) and AOC (Attestation of Compliance), submit them to applicable payment brands or cooperative entities, and re-validation can be further performed where applicable.

In addition to the assessment service, atsec offers a full range of consulting services to support your organization in achieving compliance with the PCI Card Production Logical and/or Physical Security Standards. atsec consultants have experience in each of the requirement areas (e.g. data security, network security, system security hardening and management, user management, key management, PIN distribution, personal security management, premises security protection, production procedures security control, security audit, secure packaging and delivery), and can help you develop appropriate measures in order to achieve your compliance.

The CPSA Assessors list can be found on the official website of PCI SSC, and atsec’s qualification is shown below: 

In addition to CPSA assessor, as an accredited PCI QSA, ASV, QPA, PA QSA, P2PE, 3DS assessor, SSF assessor and PFI, atsec offers a full range of services to support organizations in achieving PCI compliance.

For more information about atsec’s PCI services, please visit:
http://www.atsec.cn/it-security-services/pci/en/index.html



Wednesday, June 16, 2021

atsec has become an official GSMA member


atsec has become an official GSMA member. The GSMA represents the interests of mobile operators worldwide, uniting more than 750 operators with almost 400 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and internet companies, as well as organizations in adjacent industry sectors.

atsec is a GSMA appointed laboratory to provide Network Equipment Security Assurance Scheme (NESAS) security audits and network product evaluations against NESAS Security Assurance Specifications (SCAS). atsec has been involved with and made significant contributions to the NESAS scheme development. Standardization and future development of the NESAS scheme will strengthen the level of security in 5G and LTE networks.

”As an official GSMA member atsec will be able to form long lasting relationships with other members in the GSMA community, contribute to standardization and boost our presence in the telecommunication ecosystem”, says Mrs Rasma Araby, COO and Laboratory Director at atsec information security AB. Mr. Staffan Persson, one of the founders of atsec, also states that “The GSMA membership only proves our global commitment to information security and assurance, and allows our new and existing Common Criteria, FIPS, and O-TTPS customers to rely on atsec for NESAS too.”

atsec offers NESAS related services to all our customers through atsec AB in Stockholm, Sweden. Together with our offices in the US, Germany, China and Italy atsec offers a range of security assessment, testing and evaluation services. Information about our services is available in our service portfolio.

Tuesday, June 8, 2021

Reflections on Security Assurance

by Staffan Persson

Some reflections on security assurance, how it can be achieved and verified, from the view of an evaluation lab.


Security assurance is usually hard to grasp and sometimes we have seen there is the misconception how it can be achieved. One of the early milestones in understanding assurance came with the vulnerability analysis of Multics operating system:

The internal controls of current computers repeatedly have been shown insecure though numerous penetration exercises on such systems as […]. This insecurity is a fundamental weakness of contemporary operating systems and cannot be corrected by “patches”, “fix-ups”, or “add-ons” to those systems.
Rather, a fundamental re-implementation using an integrated hardware/software design which considers security as a fundamental requirement is necessary. In particular, steps must be taken to ensure the correctness of the security related portions of the operating system.
It is not sufficient to use a team of experts to “test” the security controls of a system. Such a “tiger team” can only show the existence of vulnerabilities but cannot prove their non-existence.

– Paul Karger in the Multics Vulnerability Analysis 1974


It identified the need for secure development to achieve assurance and a systematic approach to very assurance. But what does secure development means approach and what would such an evaluation method look like? Of course these methods have to be practical, which means cost effective. They should also be mutually supportive, meaning that they should have the same interpretation of what assurance and security is and actually contribute so that any developer assurance measures are recognized and used when doing the evaluations. It sounds obvious, but not always the case when looking into the methods used today.

Secure development

We need to be able to specify what we mean with security, so that we know what type of security the product should provided. Products usually only protect against certain threats, under certain conditions and when using the product in a certain way.

A system without requirements cannot fail; it merely presents surprises.

– Young,  Boebert and Kain, “Proving a computer system secure”.
Scientific Honeyweller, 6(2):18–27, July 1985.


There are few standards for specifying security. The best known are the Protection Profiles and Security Targets in the CC. This has to do that CC cannot work without an ST since the CC standard by itself doesn’t state the specific requirements for a certain evaluation in the CC ISO/IEC 15408. It’s not easy do do, but there are also guides for this.


Even a big standard like ISO/IEC 15408 is not a substitute for thinking, and complex matters like IT security cannot be reduced to one sentence descriptions, no matter how hard you try.

– Mike Nash, “Guide for the production of Protection Profiles and Security Targets”
ISO/IEC TR 15446:2009(E)


So what are the secure development principles? There are design and architecture principles, such as those described as the Saltzer-Schroeder principles from 1975 that also grew directly out of the Multics experience. These and other principles are documented by Peter G. Neumann in his report “Principled Assuredly Trustworthy Composable Architectures” from 2004.


However, there is also a Technical Report from ISO ISO/IEC PDTS 19249 providing a good overview of Architectural Principle and Design Principles, stating:


Building a secure product, system, or application requires not only the implementation of functional requirements but also an architecture that allows for the effective enforcement of specific security properties the product, system, or application is supposed to enforce. The ability to withstand attacks the product, system, or application may be face in its intended operational environment is highly dependent on an architecture that prohibits those attacks or – if they cannot be prohibited – allows for detection of such attacks and/or limitation of the damage such an attack can cause.

– Helmut Kurth, Technical Report from ISO, ISO/IEC PDTS 19249


But there is more to secure development than just design principles. The importance of development processes, both for the initial development as well as for the maintenance is getting more attention. There are many different security standards that focuses on that such as GSMA NESAS and OpenSAMM (but not CC).


Note: There is a change in focus that largely has to do with the complexity of modern products, the frequent updates made to them (new features, bug fixes and security fixes) and of course the cost of evaluating the products.


Security evaluations
What about evaluations? What should an evaluation do to demonstrate that a product meets its security requirements? On a high level, there are two aspects that could (or should) be looked at. Assessment of the (1) secure development processes and (2) the assessment of the product itself, i.e. the result of these processes. The assessment of a product, may include a review of design (documentation), security (functional) testing and vulnerability analysis followed by penetration testing. It may give very high confidence for a certain version of the product, but may say very little about the future releases. On the other hand, the assessment of processes gives confidence that the developer has the security development processes under control, also for future products, but may say less about a specific product.


Then we have the aspect of security analysis vs compliance testing. Some standards, such as FIPS 140 used for crypto modules is focused on compliance testing, while other standard such as Common Criteria relies more on open-ended security analysis and search for potential vulnerabilities. All Common Criteria evaluations done in the US uses NIAP approved Protection Profiles that are more or less require to perform compliance testing only. Compliance testing is usually more objective than an open-ended analysis because of its nature. But this means that it is less flexible when it comes to product types and functionality. On the other hand, the open-ended analysis can also verify the absence of exploitable vulnerabilities, i.e. an active search for vulnerabilities and an analysis if they could be exploited. This approach provides more flexibility, but also requires more evidence from the vendor and more skills from the evaluator. There is just no no simple answers.


For every complex problem, there is a simple solution. And it’s always wrong.

– H.L. Mencken, US author and journalist

In summary, there is always a mixture between process and product assessment, and also between compliance and analysis. Unfortunately, many security assessment standards today have very little to do with secure development and almost none of them takes secure design principles into considerations. NESAS is here one exception.


atsec is an evaluation lab for FIPS-140 (with NIST), Common Criteria (in Germany, US, Sweden, Italy, Singapore). We are also NESAS auditors and a SCAS test lab. We are involved with national accreditation in Europe and have done audits according to OpenSAMM. We have seen benefits and drawbacks with all these different approaches, but we think that the assurance measures of developers should be better recognized and so assessments should promote development assurance.


References

  1. Paul Karger in the Multics Vulnerability Analysis 1974.
    https://www.acsac.org/2002/papers/classic-multics-orig.pdf
  2. J.H. Saltzer, M.D. Schroederer, “The Protection of Information in Computer Systems”, Proc. IEEE, vol. 63, no. 9, 1975, pp. 1278–1308. https://www.cs.virginia.edu/~evans/cs551/saltzer/
  3. Young,  Boebert and Kain, “Proving a computer system secure”,
    Scientific Honeyweller, 6(2):18–27, July 1985.
  4. ISO/IEC TR 15446:2009(E)
    “Guide for the production of Protection Profiles and Security Targets”.
  5. Peter G. Neumann, “Principled Assuredly Trustworthy Composable Architectures”, 2004.
  6. ISO ISO/IEC PDTS 19249, “Catalogue of architectural and design principles for secure products, systems, and applications”, Technical Specification, 2017.