Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 10/08/07 issue

Mary Ann Davidson | In defense of common criteria

By William Jackson

THE COMMON CRITERIA Evaluation and Validation Scheme has been heavily criticized lately (GCN.com, Quickfind 850). Devised as an independent evaluation of security products against a set of standard criteria, Common Criteria has been faulted for being expensive and not providing a foolproof measure to increase security. Not everyone shares these views.

Mary Ann Davidson, chief security officer at Oracle, for one, feels Common Criteria has a number of strengths.

GCN: It seems as if the perceived value of a Common Criteria evaluation depends in large part on how a vendor approaches the process. Those that put the most into it get the best value from the investment. Is this true?
DAVIDSON: The value of assurance is the extent to which a vendor embraces it across its development processes. That said, since every vendor of [information technology] products claims, “Our product is secure: trust us!” having a third party validate the product against the Common Criteria is tremendously valuable to customers, who otherwise would have to rely on unproven security claims. Also, many vendors, including Oracle, view the Common Criteria as the starting point for assurance, not the ending point.

GCN: How do you use the Common Criteria evaluation to create a reliable, repeatable development process?
DAVIDSON: The Common Criteria allows vendors to start their evaluations with a lower Evaluation Assurance Level and improve their processes to meet a higher assurance level over time. The higher in assurance levels you go, the more aspects of your development process the evaluators validate, and thus you need more process to meet the requirements. This avoids an all-or-nothing benchmark that few vendors could meet and allows them to improve their assurance over time.

GCN: How helpful are automated vulnerability assessment tools in improving the quality of your products and in achieving evaluation?
DAVIDSON: Automated vulnerability assessment tools do not come into play in Common Criteria until you reach those Evaluation Assurance Levels that are higher than those mutually recognized under the Common Criteria Recognition Arrangement. The national schemes that use such tools do not release them to vendors, which means they are of no use in helping improve product security.

More news on related topics: IT Security



GCN Popup