It has been an intense few days for the jtsec team, but tremendously rewarding at the same time and, why not, fun as well. Four days to lecture in two congresses with one single goal! To improve cybersecurity in the IT systems.
Last Tuesday, our CTO, José Ruiz, took a flight to Ottawa for the annual edition of ICMC (International Cryptographic Module Conference)
It was an exceptionally interesting conference and we were able to glimpse some of what will be the future of Common Criteria, a topic extensively discussed in the different lectures, among which we highlight the following
- Brexit, and what it means for product evaluations in the UK and Europe. Simon Milford.
- The EU Cybersecurity Act: Is this the first tangible evidence of the balkanization of Common Criteria. Joshua Brickman and Elaine Newton.
- Building Certification Bodies. Wouter Slegers.
- Is 2018 a make or break year for CC? John Boggie.
The years to come are going to be very interesting in the world of cybersecurity certification! There is no doubt, there is concern within the industry, this is the moment for us to work together in order to delineate a better future.
The differences between the Europe-USA approaches were also a matter of discussion, a topic that we have addressed as well in the past Common Criteria User Forum in Norway
On Thursday 10, we had the opportunity to give a lecture on the STIC Product Catalogue promoted by the CCN (thank you for tour support Estefanía!) and on how governments all around the world are initiating new means for handling the acquisition of IT security products, focusing particularly on the new product taxonomy and how they are perfectly aligned with the Common Criteria standard
The development of this system is allowing for the Spanish Administration to be supplied with equipment that has passed the most advanced security controls, at the same time that it provides manufacturers with a higher flexibility in the evaluation of their products in a fast and efficient way, responding to the quick development of the market demand. Thus, the final consumer, the Spanish Administration, already counts on a simple manoeuvrable catalogue which will allow for knowing what equipment it needs to acquire in order to guarantee the safety of the citizens.
Jose had the chance to make his parents proud, the fifth commandment of our decalogue and the whole audience can account for it.
Make your parents proud! Something like this is the 5th commandment of our decalogue in jtsec. And our CTO knows very well how to do it! Making history at @CryptoModConf #ICMC18 talking about @CCNCERT @CCNPYTEC #CatálogoCPSTIC pic.twitter.com/HgnnqMadIa
— jtsec (@JTSecES) 11 de mayo de 2018
On the other hand, Javier Tallón and Jose Manuel Pulido, COO and PM in jtsec, had the chance to travel during the weekend to the neighbouring town of Almería, to share their knowledge on secure development on Supersec, the first National Congress on secure software development, organised jointly by the University of Almería, the guys of the hacklab Almería and the OWASP (Open Web Application Security Project) foundation.
We highlight the lecture of the renowned open source hacker Michael Meeks, developer of the office automation suite LibreOffice, who spoke to us about how they performed the tests of the document formats supported by their application, as well as the bug handling in a product of such size, and Luis Jiménez, assistant manager of the Centro Criptológico Nacional, who brought us up to date in the matter of cyberthreats and trends, reminding us that cybersecurity is built on ones and zeroes.
On Saturday 11 José Manuel had the chance to instruct the audience masterfully on how to use Common Criteria as a tool for secure development, introducing the standard both as an evaluation methodology and as a tool to grant the development of a product taking security in consideration from the beginning, where the obligation of defining the security requirements implemented by the product or the design of the security architecture are only some of the steps which allow for mitigating vulnerabilities in products that follow the Common Criteria standard.
Finally, on Sunday 12, Javier Tallón was talking about defense-in-depth techniques to mitigate buffer overflows, performing a complete exposition of the state of the art in the matter of compilers for obtaining a much safer code without having to modify a single line of code, conducting a journey on the mitigations proposed throughout history by cybersecurity researchers, and how these have been broken, forcing the development of new and clever countermeasures.
We have had time to meet new and interesting friends who with to establish new alliances and of course, work together to improve the quality and safety of IT systems.
#SuperSEC Postureo #cybersec con @olea y Javier Tallon @JTSecES ¡Esto hay que repetirlo! pic.twitter.com/IE0dyzlbBf
— Pedro J. Molina (@pmolinam) 13 de mayo de 2018
We leave our presentations of these days for you to enjoy:
Spanish Catalogue of Qualified Products: A New Way of Using CC for Procurement
Common Criteria: Herramienta para el desarrollo seguro
Mitigando overflows usando defensa en profundidad. ¿Qué puede hacer tu compilador por ti?
