Standards for Product Security Assessment
István Zsolt Berta, Levente Buttyán, and István VAJDA, Budapest University of Technology and Economics, Hungary
Approaches for Assessing Security
How Can We Assess the Security of a Production?
Overview of Standards
Two Groups of Standards
Common Criteria Paradigm
Scope of Common Criteria
Derivation of Requirements
Evaluation Assurance Levels
Common Criteria in Practice
Common Evaluation Methodology (CEM)
Common Criteria Recognition Arrangement (CCRA)
Trends in Evaluations
Criticisms of CC
Defining the concept of a “security product” is a difficult issue. Certain products are designed with security as their primary purpose. For example, the existence of firewalls, smart cards, or intrusion detection systems can only be explained by security reasons. On the other hand, products such as operating systems, word processors, or e-mail clients have other functionalities they must fulfill; otherwise, they cannot be sold, regardless of their security. However, security is still a critical issue in this latter group, too. Security is often not a product by itself, but a requirement that all products should fulfill to a certain degree. In this sense, every IT product can be considered a security product.
It might be relatively easy to evaluate the usability of a product by testing some of the most frequent scenarios. However, the security ...