Is automation the future of cybersecurity evaluation?

Blog

26
- Oct
2021
Posted by: Javier Tallón
[Certification]
Is automation the future of cybersecurity evaluation?

All of us in the world of cybersecurity certification (manufacturers, laboratories, certification bodies...) face constant challenges, given the very nature of the products we evaluate and the speed at which they change. However, for some time now, there is an issue that has become particularly relevant: the speed of obtaining certification in order to comply with the time to market of the products.

Time to market, does it make sense to need almost a year to obtain a cybersecurity certification?

This is one of the issues to be resolved in the short term, especially for manufacturers, who want to get their product in the market under certification as soon as possible. In some cases, from the time certification begins until it is obtained, the product has undergone several modifications, and even versioning, which means an insurmountable gap.

It can take a year, or even more, from the time the product developer is interested in the product until certification is achieved. As an example, we will take the estimated times for obtaining a Common Criteria certification with an EAL 2, the maximum level of security recognised by the CCRA (Common Criteria Recognition Arrangement).

As can be seen in the timeline above, which corresponds to a Common Criteria EAL 2 certification, the effort takes no less than 30 weeks. Although it is fact that, on occasions, certain vulnerabilities are found in the product that must be corrected by the manufacturer, which means weeks of work to improve the product. But how can we speed up this process?

Automation, the only possible way?

Taking into account the great effort involved in creating an internationally recognised evaluation methodology, which requires years of work and involvement by numerous public and private entities in different countries, it does not seem, at least in the short to medium term, that the solution is to lighten the amount of work involved in certification in a substantial modification of the different standards. Therefore, right now, the most viable proposal is to automate processes, thus saving time and money when carrying out a cybersecurity evaluation.

At jtsec, we have always believed in and supported automation and the creation of a common framework that uses tools to smooth certification processes. .

Automation in Common Criteria

Common Criteria is an evaluation methodology with a significant workload in terms of documentation, involving several weeks of effort and continuous modifications during the process.

Therefore we created tools such as CCGen for the creation of Common Criteria documentation and CCEval to automate the evaluation. In addition, thanks to funding from the European Commission in the framework of the Connecting Europe Facility (CEF) programme, we are developing CCCAB (Common Criteria Conformity Assessment Body), which will be a free open source tool that will allow Common Criteria CABs of the new EUCC scheme to smooth the certification process of ICT products.

In the last ICCC21 held a few days ago, we had the opportunity to reflect on automation in cybersecurity in general, and more particularly in Common Criteria, showing CCToolbox as the most feasible tool on the market today.

This talk called Automating Common Criteria was conducted by José Ruiz. Stay tuned because next week we will publish a post where we will include links to all the talks in which jtsec participated in ICCC21.

How do we smooth the evaluation process at jtsec?

Having unique tools allows us to speed up the process, being much more competitive than other Common Criteria labs. In addition, saving time and effort is a decisive factor in giving our customers peace of mind in the knowledge that their product will be on the market on time.

We provide our customers to use our tools during the consultancy process, thus working under the same framework that enhances the flow of information and the transmission of documentation between both parties.

Furthermore, at jtsec, we have made a firm commitment to automation with the creation of a development department that currently employs 7 people.

If you are considering to obtain a Common Criteria certification for your product, do not hesitate to contact us, we will go together with you throughout the process for your peace of mind.

tags
Javier Tallón/Technical Director

Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES