Common Criteria
The Common Criteria (full name is the Common Criteria for Information Technology Security Evaluation) represents the international standard of computer security certification (ISO/IEC 15408). The latest CC version is 3.1.
In brief it can be described as a kind of framework, with the help of which users can easily specify their requirements in assurance and functional aspects, on the basis of which vendors can implement the necessary security attributes of the products, and testing laboratories in their turn can evaluate the products to see if they meet the needs and specified claims of the users (Common Criteria, n.d.; Wallace, 2003). One of the main features of the framework is the fact that it is very generic: there is no list of specific security requirements for products. Such model was also taken by ITSEC, but those who are used to more prescriptive approaches started debates on this CC peculiarity.
Among its drawbacks there is a fact that if a product is CC certified, it doesn’t actually mean that it is 100% secure (Wheeler, 2003). It is conditioned by the fact that vendors are free to restrict the analysis procedure to just several features, missing evaluation of the other ones, leaving their products vulnerable to certain kinds of threats in this way. The evaluation procedure is also rather costly, which at the same time doesn’t necessarily mean that a vendor will receive really secure product (Mead, 2006; Jackson, 2007). The procedure is also very time-consuming, as it is practically impossible to find all the necessary documents at once.
On the whole, the Common Criteria framework has its strengths and weaknesses as any other product. Still, I think that serious drawbacks that were listed in this paper should be paid special attention, as they considerably influence the vendors’ level of satisfaction with CC, which can eventually put an end to it.
References
Common Criteria. (n.d.). Retrieved from http://www.rycombe.com/cc.htm
Jackson, W. (2007). Common Criteria has loads of critics, but is it getting a bum rap? Retrieved from http://gcn.com/articles/2007/08/10/under-attack.aspx
Mead, N.R. (2006). The Common Criteria. Retrieved from https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/requirements/239-BSI.html
Wallace, K. (2003). Common Criteria and Protection Profiles: How to Evaluate Information. Retrieved from http://www.sans.org/reading_room/whitepapers/standards/common-criteria-protection-profiles-evaluate-information_1078
Wheeler, D. (2003). Secure Programming for Linux and Unix HOWTO. Retrieved from http://tldp.org/HOWTO/Secure-Programs-HOWTO/x595.html
