A statistical summary created with our CCScraper tool that details everything about Common Criteria: number of certified products, countries with most certifications, assurance level per country... and much more.
Spanish catalogue of qualified products - a new way of using CC for procurementJavier Tallón
The acquisition of an IT security product handling national or sensitive information must be preceded by verification process warranting that the security mechanisms implemented in the product are adequate to protect such information.
Over the past year, the Spanish state, through its certification body, is making a considerable effort to encourage and facilitate the use of certified products in the National Administration. Different strategic lines have been used to achieve this:
• The creation of the ENS: a scheme that determines the security policy to be applied in the use of information technology, including the promotion of the use of certified or qualified devices and software.
• The promotion of Common Criteria as de facto standard for IT security certifications.
• The creation of a taxonomy and a catalogue of qualified products.
In this presentation we will focus on this last point:
The Spanish Reference taxonomy for IT security products has a set of product categories which, in turn, are divided into families: product type according to their main functionality (e. g. router, firewall, proxy, secure deletion tool, etc.).
For each product family of the taxonomy, a document has been defined containing the expected Fundamental Security Requirements (FSR), which should be taken as a reference for the development, evaluation and secure use of the products within each family, as well as a series of cases of intended use and expected operational environments.
These Fundamental Security Requirements are perfectly aligned with the Common Criteria standard, indicating for each product family the Protection Profile or requirements applicable allowing direct inclusion in the catalogue.
The development of this evaluation and certification scheme is allowing the Spanish administration to procure itself with IT equipment that has passed state-of-art security controls while providing manufacturers greater flexibility to evaluate their products quickly and efficiently, responding to fast changing market demands. The final consumer, the Spanish Administration, will have a simple and manageable catalogue that allows them to know what equipment they need to purchase in order to guarantee the security of the citizen.
Our speech will present this innovative approach for procurement that could be used by other different countries.
Bolt IoT Platform: How to build IoT products and prototypes easily.Pranav Pai Vernekar
Bolt is an Internet of Things platform (Hardware+Software) that enables businesses and makers to easily build IoT prototypes and products. (http://boltiot.com/)
Currently products such as Dosamatic an Automatic Dosa Maker, iSafe Hooter which looks at crowdsourcing security, Humanoid Robot, Smart Bell - an automated school bell, IoT Lighting, Be Lawn Smart - an automated gardening system etc. are built using the Bolt platform.
Bolt was one of the technologies showcased at Startup-Konnect program 2015 organised on sidelines of the visit by Prime Minister of India to the Silicon Valley, USA.
Bolt has also won awards such as the DST Lockheed Martin India Innovation Growth program and IoT Tech 10 by Intel and IBM for its innovation and patented technology.
Presentation to the IEA DSM ExCo of changes to our draft workplan after input from 50+ experts. All proposed changes were accepted in Norway, May 2012.
apidays LIVE Paris 2021 - Reference Guide for Sustainable IT, What’s in & How...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Reference Guide for Sustainable IT, What’s in & How to?
Denis Didier, Project Manager Sustainable IT Repository at Institut du Numérique Responsable
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
The Center for Threat-Informed Defense conducts collaborative R&D projects to improve cyber defense. The Center's work includes developing standardized adversary emulation plans, mapping vulnerabilities to adversary tactics and techniques, and creating tools to help organizations integrate threat information. All of the Center's project outputs are made freely available to help defenders worldwide.
Reliable Engineering provides IT services and consulting for insurtech companies, including development of reliable software solutions. They have expertise in areas like customer engagement, claim management, data management, and underwriting. Reliable uses a four-step approach involving business analysis, concept creation, and customized development to improve customer experience. The company is based in Kharkiv, Ukraine and serves clients in Europe, USA, and Canada.
The document summarizes a team's proposal for developing neural network algorithms that can run on quantum computing platforms. The team consists of researchers from the University of Pavia with expertise in quantum technologies. Their idea is to develop neural network circuits (algorithms) that can accelerate applications by training networks much faster and with less energy than classical computers on quantum cloud platforms. They plan to target the oil and gas industry initially by creating customized algorithms as partners rather than pure customers. In the future, they may offer algorithms-as-a-service or software licenses. They are already testing algorithms on IBM Q and have collaborations with quantum computing hardware firms and an oil and gas company.
Spanish catalogue of qualified products - a new way of using CC for procurementJavier Tallón
The acquisition of an IT security product handling national or sensitive information must be preceded by verification process warranting that the security mechanisms implemented in the product are adequate to protect such information.
Over the past year, the Spanish state, through its certification body, is making a considerable effort to encourage and facilitate the use of certified products in the National Administration. Different strategic lines have been used to achieve this:
• The creation of the ENS: a scheme that determines the security policy to be applied in the use of information technology, including the promotion of the use of certified or qualified devices and software.
• The promotion of Common Criteria as de facto standard for IT security certifications.
• The creation of a taxonomy and a catalogue of qualified products.
In this presentation we will focus on this last point:
The Spanish Reference taxonomy for IT security products has a set of product categories which, in turn, are divided into families: product type according to their main functionality (e. g. router, firewall, proxy, secure deletion tool, etc.).
For each product family of the taxonomy, a document has been defined containing the expected Fundamental Security Requirements (FSR), which should be taken as a reference for the development, evaluation and secure use of the products within each family, as well as a series of cases of intended use and expected operational environments.
These Fundamental Security Requirements are perfectly aligned with the Common Criteria standard, indicating for each product family the Protection Profile or requirements applicable allowing direct inclusion in the catalogue.
The development of this evaluation and certification scheme is allowing the Spanish administration to procure itself with IT equipment that has passed state-of-art security controls while providing manufacturers greater flexibility to evaluate their products quickly and efficiently, responding to fast changing market demands. The final consumer, the Spanish Administration, will have a simple and manageable catalogue that allows them to know what equipment they need to purchase in order to guarantee the security of the citizen.
Our speech will present this innovative approach for procurement that could be used by other different countries.
Bolt IoT Platform: How to build IoT products and prototypes easily.Pranav Pai Vernekar
Bolt is an Internet of Things platform (Hardware+Software) that enables businesses and makers to easily build IoT prototypes and products. (http://boltiot.com/)
Currently products such as Dosamatic an Automatic Dosa Maker, iSafe Hooter which looks at crowdsourcing security, Humanoid Robot, Smart Bell - an automated school bell, IoT Lighting, Be Lawn Smart - an automated gardening system etc. are built using the Bolt platform.
Bolt was one of the technologies showcased at Startup-Konnect program 2015 organised on sidelines of the visit by Prime Minister of India to the Silicon Valley, USA.
Bolt has also won awards such as the DST Lockheed Martin India Innovation Growth program and IoT Tech 10 by Intel and IBM for its innovation and patented technology.
Presentation to the IEA DSM ExCo of changes to our draft workplan after input from 50+ experts. All proposed changes were accepted in Norway, May 2012.
apidays LIVE Paris 2021 - Reference Guide for Sustainable IT, What’s in & How...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Reference Guide for Sustainable IT, What’s in & How to?
Denis Didier, Project Manager Sustainable IT Repository at Institut du Numérique Responsable
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
The Center for Threat-Informed Defense conducts collaborative R&D projects to improve cyber defense. The Center's work includes developing standardized adversary emulation plans, mapping vulnerabilities to adversary tactics and techniques, and creating tools to help organizations integrate threat information. All of the Center's project outputs are made freely available to help defenders worldwide.
Reliable Engineering provides IT services and consulting for insurtech companies, including development of reliable software solutions. They have expertise in areas like customer engagement, claim management, data management, and underwriting. Reliable uses a four-step approach involving business analysis, concept creation, and customized development to improve customer experience. The company is based in Kharkiv, Ukraine and serves clients in Europe, USA, and Canada.
The document summarizes a team's proposal for developing neural network algorithms that can run on quantum computing platforms. The team consists of researchers from the University of Pavia with expertise in quantum technologies. Their idea is to develop neural network circuits (algorithms) that can accelerate applications by training networks much faster and with less energy than classical computers on quantum cloud platforms. They plan to target the oil and gas industry initially by creating customized algorithms as partners rather than pure customers. In the future, they may offer algorithms-as-a-service or software licenses. They are already testing algorithms on IBM Q and have collaborations with quantum computing hardware firms and an oil and gas company.
VICINITY is an open virtual neighborhood network that aims to connect isolated IoT infrastructures and smart objects to overcome barriers to interoperability. It will provide an IoT platform and interoperability as a service using ontologies, virtual neighborhoods, and a peer-to-peer network. This will allow for integrated infrastructures, value-added services, and testing in user cases across different domains like energy, health, transport and buildings.
[Webinar] Why Security Certification is Crucial for IoT SuccessElectric Imp
[View the Webinar] - https://electrici.mp/2v1fQlI
Electric Imp CEO, Hugo Fiennes, and UL’s Director of Connected Technologies, Rachna Stegall discuss the unique demands of helping to secure the IoT — and why independent certification is even more critical in the fast-evolving world.
Join us to hear Fiennes & Stegall share candid insights into why establishing an IoT Security Benchmark, such as UL 2900-2-2 Cybersecurity Certification, is critical for due diligence of edge to enterprise technologies — and the future of commercial, industrial and consumer IoT overall.
This document discusses the benefits of open source IoT compared to a closed source "worst case scenario". It describes a hypothetical smart home example where each device requires its own app, there is no data sharing or integration between devices, and the customer becomes frustrated with the expensive but poorly performing fragmented system. An open source IoT approach could address these issues by providing a common software platform, open hardware standards, and a community to improve and support the system. However, open source IoT still faces challenges around powering remote devices, connectivity at scale, security, and managing complex heterogeneous systems.
Developing Enterprise-Level IoT Solutions by Fariz SaracevicBosnia Agile
This session will present challenges with building enterprise-level IoT solutions, the use of Continuous Engineering practices and lifecycle management tools to address those challenges, and the resulting business value from the perspective of business and engineering leaders. One of the scenarios that we will look at more details is around IoT-connected car.
Reliable Engineering for Insurance provides IT services and consulting for insurtech companies. They have expertise in areas like customer engagement, claim management, data management, and underwriting. Their reliable approach involves evaluating a client's current situation, analyzing goals and plans, creating software solutions, and developing customized solutions to improve customer experience. They have technical capabilities in areas like UI/UX design, web and mobile development, big data, IoT, blockchain, and computer vision.
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
The document provides guidance on best practices for secure IoT product development. It discusses the top 5 security considerations which include implementing secure firmware updates, authentication and encryption on product interfaces, independent security assessments, securing companion mobile apps/gateways, and implementing a secure root of trust. It also highlights lessons learned from privacy and security issues with IoT products like baby monitors, fitness trackers, medical devices, drones, critical infrastructure systems, and autonomous vehicles. Recommendations provided include adopting a security-by-design approach, threat modeling products, implementing secure development processes, and incorporating privacy principles.
The panel discussion will focus on the :
Trends of Big Data, Cloud, IOT and other key areas.
Software Engineering, Agile , Continuous Delivery and Quality Engineering best practices.
Reimagining Quality through usage of the right Process, frameworks, tools and overall Quality Management System.
Connect, Secure & Automate the Distribution Grid with CISCO SCADA RTU - Eximp...Bosnia Agile
We are proud to present one of the biggest Innovations in the Energy Utilities sector, developed from scratch to address the Smart Grid challenge of connecting hundreds of thousands of Electrical Secondary Sub-Stations, while ensuring SCADA Automation and Security in each sub-station, all in a cost-effective, easy to manage solution. While traditionally, the SCADA RTU, Router and Firewall components have been thought about as 3 different physical devices, Cisco, together with Eximprod Group, have developed a 3-in-1 device, that encompasses all 3 functionalities. We have named it the Cisco Scada Gateway. As a SCADA RTU, the device works with any SCADA Dispatcher and offers superior RTU functionality. As a Router, the device offers the full functionality of Cisco IOS having the Cisco IR809 as a hardware platform, capable of multi-protocol connectivity, including dual-sim 4G. As a Firewall, the device includes a full-features zone-based firewall solution, to segment and govern network access through the SCADA network.
InfoStretch & Peloton - Putting IoT to workInfostretch
The people behind Peloton Cycle recognized a paradox in modern fitness. Many people want to get fit at home and balk at joining a sports team or gym. Yet home fitness routines are notoriously less successful—precisely because they lack social interaction. So with the creation of the Peloton Cycle, an indoor exercise bike capable of live streaming and on-demand group cycling classes/rides which anyone can join, the developers hit on a way to bring sporting social interaction into everyone’s home. Join Yony Feng and Harshal Vora as they discuss the process of Peloton’s developing and testing the technology that would make the concept a reality. Making the rides realistic required a virtual-reality-like answer, so that the video streaming on the bike’s tablet would correspond with the actions from the bike and vice-versa—all while designing social interactions to push and inspire the riders. This required some completely new technology combined with existing technology. See how agile development and test automation were fundamental to this project—to deal with the unknowns and stay on track.
Presentation taken from Mobile Dev + Test 2016: https://mobiledevtest.techwell.com/program/concurrent-sessions/bring-team-interaction-living-room
Results from the annual IoT Developer Survey. Includes trends on IoT programming languages, cloud platforms, IoT operating systems, messaging protocols (MQTT, HTTP), IoT hardware architectures and more.
The ISCF Digital Security by Design (DSbD) team has launched an up to £5.8 million Expression of Interest (EOI) for UK businesses to collaborate on digital security by design business-led demonstrator project in which an additional technology ingredient or ingredients are required. The competition currently closing on 15th April at noon, however it is subject to review.
apidays LIVE Paris 2021 - Evaluate and improve the footprint of digital servi...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Evaluate and improve the footprint of digital services
Yves Dolo, Tecnical Manager at Digital4Better
The document discusses an Augmate platform that provides security, scalability, and integration capabilities for enterprises to manage fleets of wearable devices. It enables IT administrators to securely manage applications, connectivity, user tracking, sensor data collection, and more from a single portal. This allows wearable technology to have a high ROI across industries like manufacturing and healthcare by supporting them in secure enterprise environments.
call for papers - International Conference on Networks & IOT (NeTIOT 2020)ijassn
International Conference on Networks & IOT (NeTIOT 2020) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of Computer Networks & IOT.
Semantic Analytics: The accelerator of Artificial Intelligence Digital MarketsATMOSPHERE .
Dr. Martin Serrano is an expert in information and communications technology (ICT) and the Internet of Things (IoT). He currently serves as the Head Unit Leader and Chair of the IoT Experimentation Chapter of the Institute of Electrical and Electronics Engineers (IEEE). He also serves as Vice-Chair of Working Group 01 of the Association for IoT Innovation (AIOTI). The document outlines Dr. Serrano's background and experience in cloud computing, semantics, stream processing, edge computing, artificial intelligence, and their application to IoT systems. It also discusses how analytics can accelerate artificial intelligence and digital markets.
The document discusses the IBTA Integrators' List, which is a compilation of InfiniBand products that have been tested and approved as compliant with the InfiniBand specification. Products are added to the list following testing at IBTA-sponsored events twice a year. Vendors with listed products can access marketing benefits and use logos on their products. The list is intended to help IT professionals select validated InfiniBand solutions and currently includes several hundred products.
This document summarizes input from an open call on issues regarding the adoption, economic value, standards/governance, privacy/trust, and safety/security of IoT. Some of the key challenges mentioned include the need for transparency to drive adoption, understanding security to properly value it, fragmented standards, balancing privacy and clinical benefits, and restricting technical security approaches due to limited IoT device resources. Providing demonstrators, reducing development costs, and sharing best practices were suggested to help address some of these issues.
An annual survey of the IoT developer community that was sponsored by Eclipse IoT, AGILE IoT and IEEE IoT. The report includes developer usage of different IoT standards, technology and industry perceptions.
Semantic Analytics: The accelerator of Artificial Intelligence Digital MarketsATMOSPHERE .
This document profiles Dr. Martin Serrano, an expert in ICT/IoT and artificial intelligence. It lists his professional roles and experience, which include leading an IEEE chapter on IoT experimentation and serving as vice chair of an AIOTI working group. The document then discusses topics related to Dr. Serrano's expertise, including semantic analytics accelerating artificial intelligence's digital markets, the importance of analytics for AI, and AI as a service digital markets.
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top?
This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.
VICINITY is an open virtual neighborhood network that aims to connect isolated IoT infrastructures and smart objects to overcome barriers to interoperability. It will provide an IoT platform and interoperability as a service using ontologies, virtual neighborhoods, and a peer-to-peer network. This will allow for integrated infrastructures, value-added services, and testing in user cases across different domains like energy, health, transport and buildings.
[Webinar] Why Security Certification is Crucial for IoT SuccessElectric Imp
[View the Webinar] - https://electrici.mp/2v1fQlI
Electric Imp CEO, Hugo Fiennes, and UL’s Director of Connected Technologies, Rachna Stegall discuss the unique demands of helping to secure the IoT — and why independent certification is even more critical in the fast-evolving world.
Join us to hear Fiennes & Stegall share candid insights into why establishing an IoT Security Benchmark, such as UL 2900-2-2 Cybersecurity Certification, is critical for due diligence of edge to enterprise technologies — and the future of commercial, industrial and consumer IoT overall.
This document discusses the benefits of open source IoT compared to a closed source "worst case scenario". It describes a hypothetical smart home example where each device requires its own app, there is no data sharing or integration between devices, and the customer becomes frustrated with the expensive but poorly performing fragmented system. An open source IoT approach could address these issues by providing a common software platform, open hardware standards, and a community to improve and support the system. However, open source IoT still faces challenges around powering remote devices, connectivity at scale, security, and managing complex heterogeneous systems.
Developing Enterprise-Level IoT Solutions by Fariz SaracevicBosnia Agile
This session will present challenges with building enterprise-level IoT solutions, the use of Continuous Engineering practices and lifecycle management tools to address those challenges, and the resulting business value from the perspective of business and engineering leaders. One of the scenarios that we will look at more details is around IoT-connected car.
Reliable Engineering for Insurance provides IT services and consulting for insurtech companies. They have expertise in areas like customer engagement, claim management, data management, and underwriting. Their reliable approach involves evaluating a client's current situation, analyzing goals and plans, creating software solutions, and developing customized solutions to improve customer experience. They have technical capabilities in areas like UI/UX design, web and mobile development, big data, IoT, blockchain, and computer vision.
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
The document provides guidance on best practices for secure IoT product development. It discusses the top 5 security considerations which include implementing secure firmware updates, authentication and encryption on product interfaces, independent security assessments, securing companion mobile apps/gateways, and implementing a secure root of trust. It also highlights lessons learned from privacy and security issues with IoT products like baby monitors, fitness trackers, medical devices, drones, critical infrastructure systems, and autonomous vehicles. Recommendations provided include adopting a security-by-design approach, threat modeling products, implementing secure development processes, and incorporating privacy principles.
The panel discussion will focus on the :
Trends of Big Data, Cloud, IOT and other key areas.
Software Engineering, Agile , Continuous Delivery and Quality Engineering best practices.
Reimagining Quality through usage of the right Process, frameworks, tools and overall Quality Management System.
Connect, Secure & Automate the Distribution Grid with CISCO SCADA RTU - Eximp...Bosnia Agile
We are proud to present one of the biggest Innovations in the Energy Utilities sector, developed from scratch to address the Smart Grid challenge of connecting hundreds of thousands of Electrical Secondary Sub-Stations, while ensuring SCADA Automation and Security in each sub-station, all in a cost-effective, easy to manage solution. While traditionally, the SCADA RTU, Router and Firewall components have been thought about as 3 different physical devices, Cisco, together with Eximprod Group, have developed a 3-in-1 device, that encompasses all 3 functionalities. We have named it the Cisco Scada Gateway. As a SCADA RTU, the device works with any SCADA Dispatcher and offers superior RTU functionality. As a Router, the device offers the full functionality of Cisco IOS having the Cisco IR809 as a hardware platform, capable of multi-protocol connectivity, including dual-sim 4G. As a Firewall, the device includes a full-features zone-based firewall solution, to segment and govern network access through the SCADA network.
InfoStretch & Peloton - Putting IoT to workInfostretch
The people behind Peloton Cycle recognized a paradox in modern fitness. Many people want to get fit at home and balk at joining a sports team or gym. Yet home fitness routines are notoriously less successful—precisely because they lack social interaction. So with the creation of the Peloton Cycle, an indoor exercise bike capable of live streaming and on-demand group cycling classes/rides which anyone can join, the developers hit on a way to bring sporting social interaction into everyone’s home. Join Yony Feng and Harshal Vora as they discuss the process of Peloton’s developing and testing the technology that would make the concept a reality. Making the rides realistic required a virtual-reality-like answer, so that the video streaming on the bike’s tablet would correspond with the actions from the bike and vice-versa—all while designing social interactions to push and inspire the riders. This required some completely new technology combined with existing technology. See how agile development and test automation were fundamental to this project—to deal with the unknowns and stay on track.
Presentation taken from Mobile Dev + Test 2016: https://mobiledevtest.techwell.com/program/concurrent-sessions/bring-team-interaction-living-room
Results from the annual IoT Developer Survey. Includes trends on IoT programming languages, cloud platforms, IoT operating systems, messaging protocols (MQTT, HTTP), IoT hardware architectures and more.
The ISCF Digital Security by Design (DSbD) team has launched an up to £5.8 million Expression of Interest (EOI) for UK businesses to collaborate on digital security by design business-led demonstrator project in which an additional technology ingredient or ingredients are required. The competition currently closing on 15th April at noon, however it is subject to review.
apidays LIVE Paris 2021 - Evaluate and improve the footprint of digital servi...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Evaluate and improve the footprint of digital services
Yves Dolo, Tecnical Manager at Digital4Better
The document discusses an Augmate platform that provides security, scalability, and integration capabilities for enterprises to manage fleets of wearable devices. It enables IT administrators to securely manage applications, connectivity, user tracking, sensor data collection, and more from a single portal. This allows wearable technology to have a high ROI across industries like manufacturing and healthcare by supporting them in secure enterprise environments.
call for papers - International Conference on Networks & IOT (NeTIOT 2020)ijassn
International Conference on Networks & IOT (NeTIOT 2020) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of Computer Networks & IOT.
Semantic Analytics: The accelerator of Artificial Intelligence Digital MarketsATMOSPHERE .
Dr. Martin Serrano is an expert in information and communications technology (ICT) and the Internet of Things (IoT). He currently serves as the Head Unit Leader and Chair of the IoT Experimentation Chapter of the Institute of Electrical and Electronics Engineers (IEEE). He also serves as Vice-Chair of Working Group 01 of the Association for IoT Innovation (AIOTI). The document outlines Dr. Serrano's background and experience in cloud computing, semantics, stream processing, edge computing, artificial intelligence, and their application to IoT systems. It also discusses how analytics can accelerate artificial intelligence and digital markets.
The document discusses the IBTA Integrators' List, which is a compilation of InfiniBand products that have been tested and approved as compliant with the InfiniBand specification. Products are added to the list following testing at IBTA-sponsored events twice a year. Vendors with listed products can access marketing benefits and use logos on their products. The list is intended to help IT professionals select validated InfiniBand solutions and currently includes several hundred products.
This document summarizes input from an open call on issues regarding the adoption, economic value, standards/governance, privacy/trust, and safety/security of IoT. Some of the key challenges mentioned include the need for transparency to drive adoption, understanding security to properly value it, fragmented standards, balancing privacy and clinical benefits, and restricting technical security approaches due to limited IoT device resources. Providing demonstrators, reducing development costs, and sharing best practices were suggested to help address some of these issues.
An annual survey of the IoT developer community that was sponsored by Eclipse IoT, AGILE IoT and IEEE IoT. The report includes developer usage of different IoT standards, technology and industry perceptions.
Semantic Analytics: The accelerator of Artificial Intelligence Digital MarketsATMOSPHERE .
This document profiles Dr. Martin Serrano, an expert in ICT/IoT and artificial intelligence. It lists his professional roles and experience, which include leading an IEEE chapter on IoT experimentation and serving as vice chair of an AIOTI working group. The document then discusses topics related to Dr. Serrano's expertise, including semantic analytics accelerating artificial intelligence's digital markets, the importance of analytics for AI, and AI as a service digital markets.
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top?
This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.
This document summarizes Common Criteria certification statistics from various sources including the CCScraper tool. It provides statistics for 2021 based on data collected up to September 30th, highlighting the top certification schemes, assurance levels, laboratories, product categories and manufacturers. It also analyzes trends over the past 5 years and discusses the impact of the COVID-19 pandemic on certification numbers.
The document is a newsletter from CAW Consultancy providing updates on standards, legislation, and other industry news. It discusses the new ISO 18788 standard for private security management systems, which provides a framework to ensure security operations meet requirements. It also summarizes other new laws and standards around GDPR, employment, health and safety, and environmental regulations. The newsletter promotes CAW Consultancy's services including ISO consultancy, digital management systems, and certification services. It highlights some client successes and announces charity sponsorship opportunities.
The State of Open Source for Software Alliance Germany 2023-04-14Shane Coughlan
This document discusses the increasing complexity of open source software use in corporate environments due to new rules and guidelines around software bills of materials and supply chain security. It notes that while open source is important for businesses, many companies have limited visibility into their software supply chains due to relying on spreadsheets rather than proper processes. Standards like OpenChain and upcoming ISO standards aim to provide best practices for open source license compliance and security assurance. Widespread adoption of these standards could help create a more predictable and secure software supply chain. The document outlines support and resources for organizations looking to implement these standards.
ISMA 9 - van Heeringen - Using IFPUG and ISBSG to improve organization successHarold van Heeringen
Introduction to the International Software Benchmarking Standards Group and 3 cases in which function points together with ISBSG data really resulted in business value:
- Reality check of an estimate made by experts
- Assessing the competitive position of a department
- Selecting a single software supplier
This document provides an overview of the OpenChain Project, which establishes standards for open source licensing and security. It discusses the OpenChain standards for license compliance (ISO/IEC 5230) and security assurance (ISO/IEC DIS 18974). It highlights that over 1,000 companies are working to improve supply chain management through OpenChain. It also summarizes news and developments around OpenChain standards adoption and certification.
The OpenChain Project aims to create and maintain standards for open source licensing and security. It has over 1,000 company members representing trillions in market value. The project develops specifications like ISO 5230 for open source license compliance and a new DIS 18974 for security assurance. It provides free materials to help companies self-certify their supply chain processes and offers third-party certification. The project is expanding its standards, outreach, and community participation to build a more transparent and secure software supply chain.
Assocham global conference audit data standards - 28.10.2020Vinod Kashyap
The document discusses the need for audit data standards to facilitate interoperability between accounting and audit software. It notes that currently, heterogeneity in client data formats makes audit automation challenging. Audit data standards like ADS and ISO 21378 aim to standardize data elements and definitions to allow automated extraction and analysis of audit evidence across different systems. The document outlines several audit data standards and explains how they promote efficiency and effectiveness by reducing data integration issues faced by auditors. Overall, audit data standards are necessary to realize the full potential of technologies like audit data analytics in the digital transformation of auditing.
The document discusses the adoption of augmented reality (AR) and virtual reality (VR) technologies in manufacturing industries. It finds that 32% of companies are investing in AR/VR, mainly for product development, team collaboration, and maintenance. While adoption is increasing, some companies cite costs and lack of practical applications as barriers. The document outlines several use cases where AR/VR provides benefits in areas like design, assembly, inspection, and training. It recommends Tata Steel collaborate with technology providers and academic institutions to implement AR/VR and develop related skills for applications like maintenance and product development.
The document summarizes the OpenChain Project, which creates and maintains standards for open source licensing and security. It discusses the project's goals of improving supply chain visibility and management through standards like ISO 5230 for licensing and the forthcoming ISO 18974 for security. It provides an overview of the project's community and commercial support network, which includes hundreds of companies, certifiers, service providers, and tooling vendors working to establish best practices for open source compliance.
The programmable RegTech Eco System by Liv Apneseth WatsonWorkiva
Liv Watson from Workiva presented on regulatory technology (RegTech) and how it can help organizations more efficiently and effectively meet growing regulatory reporting demands. Some key points included:
- Regulatory requirements have increased in complexity and volume, outpacing human capabilities without technology. RegTech aims to address this through automation.
- RegTech tools and strategies span areas like compliance management, regulatory reporting, risk management, and "smart audits". Emerging areas include blockchain, data standards like XBRL, and predictive analytics.
- Adopting a flexible data architecture with single-source and multiple-version data models can help organizations better leverage RegTech across functions like finance, risk, and ESG reporting.
In Spite Of Billions Of Dollars Spent On Business Intelligence And Analytics, The Industrial Era Metrics We Use To Measure Business Risk And Performance Are Broken And Failing The C-suite
This document outlines an agenda for a symposium on performance measurement and management in Industry 4.0. The agenda includes an overview of CAREL, their digital roadmap, future architecture, and focus on several projects including machine vision, machine integration, a control tower, and total productive maintenance. CAREL is an electronics company with over 1500 employees working to develop control solutions to help customers in refrigeration, HVAC, and other industries protect the environment.
Charles Farina - Analytics Pros (All Things Data 2015)Shuki Mann
Charles Farina gave a presentation on cross device measurement using Google Analytics. He discussed the challenges of cross device tracking, including barriers like privacy regulations. He demonstrated how to set up cross device measurement by configuring user-IDs and session stitching in Google Analytics. Farina also provided advice for getting started with cross device tracking, such as starting small and having a roadmap.
Cross Device Measurement - All Things Data ConferenceCharles Farina
Cross-Device Measurement with Google Analytics. Example using Bocce and Hubpot. Walk-through of how to best get started using the Universal Analytics measurement protocol.
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives.
The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more.
During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.
Experiences evaluating cloud services and productsJavier Tallón
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
El documento introduce el Centro Criptológico Nacional (CCN) y el Esquema Nacional de Seguridad (ENS), y explica que el CCN-STIC 105 Catálogo de Productos y Servicios de Seguridad de las Tecnologías de la Información y la Comunicación (CPSTIC) ofrece un listado de productos con garantías de seguridad contrastadas por el CCN. También describe los procesos de certificación LINCE y Common Criteria para incluir productos en el catálogo, y los beneficios que esto conlleva para las organizaciones.
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives.
This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.
Seguro que has visto cómo cada vez más sectores como la banca o los seguros permiten abrir cuentas legalmente vinculadas sin la intervención (a priori) de un operador humano gracias a procesos de videoidentificación, pero, ¿te has preguntado qué tan seguros son?
El Ministerio de Asuntos Económicos y Transformación Digital, en el BOE núm. 115, de 14 de mayo de 2021 y con motivo de la emergencia sanitaria generada por la crisis de la COVID-19, regulaba los métodos de identificación remota por vídeo para la expedición de certificados electrónicos cualificados, lo que obliga a los prestadores de este tipo de servicios a validar sus soluciones en los términos que establece el anexo F11 de la Guía CCN-STIC-140, del Centro Criptológico Nacional.
Dicho anexo requiere que un laboratorio acreditado realice ataques de presentación a este tipo de soluciones para verificar su resistencia a técnicas como máscaras hiperrealistas, deepfake o contouring. Durante esta charla ahondaremos en los detalles técnicos de dichos ataques, y te contaremos cómo hemos conseguido inyectar vídeo en muchas de estas soluciones.
Evolucionado la evaluación CriptográficaJavier Tallón
El uso de módulos criptográficos para proteger información sensible en productos hardware, software y firmware es cada vez más extendido. Por ello CCN, desarrolló en su Guía de Seguridad de las TIC CCN-STIC 2002 un Módulo de Evaluación Criptográfico (MEC) que se aplica a diferentes soluciones que implementan algoritmos criptográficos. Este módulo sirve de referencia en numerosas evaluaciones bajo la metodología LINCE en las que se aplica de forma adicional.
Debido al aumento cada vez mayor de requisitos criptográficos, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas.
El objetivo de la metodología criptográfica es el de establecer un marco común para llevar a cabo las evaluaciones criptográficas de los TOEs que van a ser evaluados para la obtención de un certificado Common Criteria, LINCE con validación criptográfica o STIC con validación Criptográfica.
En esta charla se presentará la nueva aproximación para evaluar la criptografía en España según la metodología creada conjuntamente por CCN y jtsec. Además, mostraremos la herramienta creada para verificar la conformidad de las primitivas criptográficas. Esta ponencia será especialmente útil para los desarrolladores de productos que conocerán los requisitos que se pedirán a partir de ahora.
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
El desarrollo de productos creados directamente en la nube (cloud nativo) es una práctica cada vez más extendida en la industria. La administración española no escapa a esa tendencia y es cada vez más habitual las migraciones a la nube. El despliegue y gestionado se realiza en la nube y normalmente son desarrollos en constante evolución, permitiendo a los fabricantes más flexibilidad para la continua mejora de sus productos.
Ante el continuo incremento de productos desarrollados en la nube, en febrero de 2020, el CCN publicaba el Anexo G de la “Guía de Seguridad de las TIC CCN-STIC 140” para la Taxonomía de productos de STIC - Servicios en la nube, donde se reflejan los Requisitos Fundamentales de Seguridad (RFS) para este tipo de servicios, considerándose requisitos adicionales que complementan a los requisitos definidos para cada una de las familias de productos. Una guía pionera a nivel internacional para la evaluación de servicios cloud, por lo que cabe destacar que España es el primer país en crear una metodología de evaluación para este tipo de servicios. Normalmente las evaluaciones en la nube, se centran en la gestión e infraestructura del servicio/producto dejando de lado la funcionalidad de seguridad implementada por el mismo.
En las evaluaciones de ciberseguridad, existe la particularidad de que estos servicios/productos no pueden ser completamente controlados/instalados en el laboratorio a la hora de realizar la evaluación, por lo que no se puede certificar usando las metodologías LINCE o Common Criteria. Este problema existe a nivel internacional.
Para solventar esta casuística, CCN diseño una estrategia de evaluación de servicios en la nube mediante evaluaciones STIC complementarias haciendo uso de la metodología LINCE.
Esta vía ha permitido la cualificación en el catálogo CPSTIC / CCN-STIC 105 de servicios en la nube. A día de hoy, hay 6 servicios en la nube incluidos en el catálogo CPSTIC. Todos ellos han sido evaluados por jtsec.
En jtsec nos hemos tenido que adaptar tecnológicamente para afrontar este tipo de evaluaciones, puesto que alrededor del 70% de evaluaciones iniciadas en 2022 por jtsec corresponden a servicios en la nube.
La charla describirá las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pondrá de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
EUCA 22 - Let's harmonize labs competence ISO 19896Javier Tallón
Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community.
At ISO level, a new standard has been approved aiming to support this goal: ISO 19896.
ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations.
The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk.
Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).
Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products.
For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it’s supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable.
This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission).
The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
Incluir productos y servicios en el catálogo de ciberseguridad de referencia para la Administración Pública no resulta sencillo.
Se ha de superar una evaluación LINCE o Common Criteria para poder acceder a dicho catálogo.
En el catálogo CPSTIC se pueden incluir tanto para soluciones on premise como en la nube, siendo una gran ventaja para aquellos desarrolladores cloud native.
En esta presentación explicamos las diferentes maneras de incluir una solución en el catálogo CPSTIC, así como los pasos a seguir.
Is Automation Necessary for the CC Survival?Javier Tallón
The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common Criteria evaluations, both by laboratories and by the Certification Bodies, is limited. The automation of certain processes through the use of tools created specifically for this purpose is seen as the only possible way to speed up the process, both in terms of time and workload. How will the use of tools affect the immediate future of the different stakeholders in Common Criteria? Will automation lead to an increase in the number of certifications and the possibility that more companies will be able to become certified?
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC.
In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
Artículo publicado en la edición nº 148 de la Revista SIC, donde presentamos la herramientas que estamos desarrollando, pionera en el mercado.
CCCAB es un proyecto financiado por la Comisión Europea en el marco del programa Connecting Europe Faciclity (CEF), que permite ahorrar tiempo y esfuerzo a los CABs (Certification Assessments Bodies), aligerando su carga de trabajo para optimizar la fase de certificación.
This document discusses José Ruiz and his experience with Common Criteria and FIPS certification standards. It then summarizes the need for automation tools to streamline the certification process, addressing issues like a lack of engineers and high paperwork demands. Specific tools are mentioned, including NIAP's tool for automating security targets and CCToolbox, which the document's author developed. CCToolbox aims to simplify and automate documentation, evaluation activities, and the overall certification workflow. Benefits discussed include reduced time and costs for manufacturers and laboratories.
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme.
CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project.
CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. The presentation will show the objectives, status of the development and the potential of the tool and what it will mean for the different stakeholders involved in a Common Criteria certification process.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Project Management Semester Long Project - Acuityjpupo2018
Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
2020 Statistics Report. Is the industry surviving to lockdown?
1.
2.
3. CC data collection with CCScraper
CC statistics for 2020
CC Statistics for 5 years
Some historical CC statistics
Conclusions
Contents
4.
5. Web scraper written in Python. Created in 2018 by jtsec.
CCScraper collects data about certified products from commoncriteriaportal.org
and from the websites of the Certification Body.
Tons of interesting data collected: date of certification, EAL, PP, Product
Category, certification lab, etc. and even SFRs used or technical terms in the ST!
Data is interpreted and organized / merged into a list of unique certified
products. We generate the statistics from that data.
What is CCScraper
6. CCScraper v1.0 was first presented here in the ICCC in 2018.
Only data from commoncriteriaportal.org was collected.
CCScraper v2.0 was presented in ICCC 2019.
Main feature: add information from CB websites and merge into
unique products
CCScraper v2.1 presented today in ICCC 2020.
Efficiency dramatically improved: 18 hours vs 5 days of execution.
Nothing is perfect… so we implemented logging and email alert logic in
case we find errors / uncontemplated cases.
CCScraper history
7. New laboratories found!… we had to review our parsing logic and reports!
CSEC website changed it structure during this year: we had to re-code its
scraper.
NSCIB started to upload Site Security Certifications and dates were
removed from the product listing.
The scraper run an OK test in September but… in November the Australian
CB ACSC website had entirely changed!
Latest challenges for CCScraper
8. With the statistics generated, we publish CC statistics reports in jtsec
webpage, at least once per year.
CCscraper reports
https://www.jtsec.es/blog-entry/25/common-criteria-
statistics-report-for-2018
https://www.jtsec.es/blog-entry/44/common-criteria-
statistics-report-for-2019
9.
10. Statistics – 2020 (10 months)
315 products certified during 2020 (data from 05/11/2020)
11. Top certifier schemes in 2020
Statistics – 2020 (10 months)
12. Statistics – 2020 (10 months)
The top 3 schemes add up to 55% of the certifications!
35. Conclusions for 2020
PP compliant certifications and High-assurance certifications (EAL5+EAL4)
predominated. EAL5 slightly > than EAL5 in 2020.
2020 brought new winners to the scene:
A new top vendor
A new top evaluation lab
A new top certifying scheme in the top-3
CPP_ND was the most used CPP; PP084 was the most used regular PP.
ICs & Smartcards were the most certified category, followed by Network Devices.
36. Has the lockdown affected the industry?
2020 currently has less certifications than 2016, 2017, 2018 an 2019. And
65 certifications below 2019.
The top certifying schemes lowered their number of certifications, except
Netherlands.
Most of the top certification laboratories certified significatively less
products in 2020.
37. Has the lockdown affected the industry?
No noticeable variations between Q1, and Q2-Q3 of 2020 (when lockdown).
Unfortunately, we don’t collect data about products under evaluation and:
Usually the whole CC process until certification takes between 6 and 12 months.
EAL4 and higher require a site audit, the lockdown possibly delayed them.
We think that many evaluations were started in 2019: labs and certifiers tried not
to stop them due to lockdown and we saw numbers in 2020 related to those
certifications.
In our opinion, the COVID could have delayed evaluations starting in 2020.
Hence, we expect the same decreasing trend in 2021… with worst numbers?
38. jtsec: Beyond IT Security
Granada & Madrid – Spain
hello@jtsec.es
@jtsecES
www.jtsec.es
Contact
“Any fool can make something complicated. It takes a
genius to make it simple.”
Woody Guthrie