SlideShare a Scribd company logo
 CC data collection with CCScraper
 CC statistics for 2022
 CC Statistics for 5 years
 Conclusions
Contents
 José Manuel Pulido:
 Lead Cybersecurity Consultant and Senior
Cybersecurity Evaluator at jtsec
 Common Criteria expert
 CCToolbox developer
 More than 10 years of experience in cybersecurity
technologies
 Speaker at several conferences including ICCC20
and ICCC21
About me
 Cybersecurity evaluation & consultancy services
 Common Criteria, LINCE and ETSI EN 303 645 accredited
lab.
 Developers of the most powerful tool for Common Criteria,
CCToolbox.
 Involved in standardization activities (ISO, CEN/CENELEC,
ISCI WGs, ENISA CSA WGs, CCUF, CMUF, ERNCIP, …)
 Members of the SCCG (Stakeholder Cybersecurity
Certification Group)
About us
 Web scraper written in Python. Created in 2018 by jtsec.
 CCScraper collects data about certified products from commoncriteriaportal.org
and from the websites of the Certification Bodies.
 Tons of interesting data collected: date of certification, EAL, PP, Product
Category, certification lab, etc. and even SFRs used or technical terms in the ST!
 Data is interpreted and organized / merged into a list of unique certified
products. We generate the statistics from that data.
 We don’t generate statistics of site certifications (yet).
What is CCScraper
 CCScraper v1.0 was first presented here in the ICCC in 2018.
 Only data from commoncriteriaportal.org was collected.
 CCScraper v2.0 was presented in ICCC 2019.
 Main feature: add information from CB websites and merge into unique products
 CCcraper v2.1 was presented in ICCC 2020, with mainly efficiency improvements and email alerts.
 CCScraper v2.2 was presented in ICCC 2021, with improvements in CB website parsers and
detection of false duplicates.
 This year we present CCScraper v2.3 with some upgrades for ICCC 2021.
 Stability improvements parsing NIAP website.
 German language support in parsing BSI website.
 IPA scraper was completely rewritten due to changes in the website.
CCScraper history
 With the statistics generated, we publish CC statistics reports in jtsec
webpage, at least once per year.
CCscraper reports
 https://www.jtsec.es/blog-entry/44/common-criteria-
statistics-report-for-2019
 https://www.jtsec.es/blog-entry/85/common-criteria-
statistics-report-for-2020
 https://www.jtsec.es/blog-entry/106/common-criteria-
statistics-report-for-2021
Statistics – 2022 (9 months)
 196 products certified during 2022 (data until 30/09/2022)
55
64
77
0 10 20 30 40 50 60 70 80 90
2022 Q3
2022 Q2
2022 Q1
 Top certifier schemes in 2022
Statistics – 2022 (9 months)
44
36
28
20
18
14
12
6
5 5
4
2
1 1
0
5
10
15
20
25
30
35
40
45
50
FR NL JP DE US SE ES IT CA SG KR AU IN NO
2022
Statistics – 2022 (9 months)
 The top 2 schemes add up to 40% of the certifications!
FR
22%
NL
18%
JP
14%
DE
10%
US
9%
SE
7%
ES
6%
IT
3%
CA
3%
SG
3%
KR
2%
AU
1%
IN
1%
NO
1%
 Certified products compliance in 2022
Statistics – 2022 (9 months)
EAL1
1.03%
EAL2
10.31%
EAL3
7.73%
EAL4
29.38%
EAL5
12.89%
EAL6
9.79%
PP
28.87%
1
12
7
21
12
2
0
22
1
6
4
21
9
7
0
15
0
2
4
15
4
10
0
19
0 10 20 30 40 50 60
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
PP
2022 Q1 2022 Q2 2022 Q3
 Product assurance level per country during 2022
Statistics – 2022 (9 months)
0
4
0 0 0 0 0
24
0 0 0 0 0 0 0
18
0 0
5
8
0
7
0 0
0
2
3
18
15
6
0 0
0
3
1
6
2
0 0 0
2
8
4 4
0 0 0
14
0
2 2
17
8
6
0 0
0
5
10
15
20
25
30
EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 PP
Assurance Level Per Country
JP
US
DE
FR
ES
Others
NL
 Top 10 Laboratories (2022)
Statistics – 2022 (9 months)
6
7
7
13
14
14
14
15
24
34
0 5 10 15 20 25 30 35 40
DEKRA (ES)
GOSSAMER (US)
APPLUS (ES)
ATSEC (*)
ITSC (JP)
TÜV (DE/JP)
ECSEC
SERMA (FR)
CEA - LETI (FR)
BRIGHTSIGHT (*)
Statistics – 2022 (9 months)
 Protection Profile certifications
With PP
81%
Without PP
19%
Certifications with Protection
Profiles in 2022
28.10% 35.29% 32.68% 11.76%
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
Security IC
Platform
Protection
Profile
Protection
Profile for
Hardcopy
Devices
Protection
Profile for
Network
Devices
Machine
Readable
Travel
Document
2022
Statistics – 2022 (9 months)
 PP and cPP compliant certifications in 2022
Collaborative
PPs
44%
Non-Collaborative
PPs
56%
Collaborative PPs vs Non -
Collaborative PPs
Network Devices
67%
Stateful Traffic Filter
Firewalls
15%
Full Drive Encryption
3%
Network Devices + Stateful Traffic Filter
Firewalls
15%
Certifications using CPPs
14
12
11 11
10
0
2
4
6
8
10
12
14
16
 Top 5 manufacturers of certified products (2022)
Statistics – 2022 (9 months)
=
+1
New
-2
New
 Top product categories (2022) and their evolution
Statistics – 2022 (9 months)
ICs, Smart Cards and
Smart Card-Related
Devices and Systems,
42%
Other Devices and
Systems, 14%
Network and Network-
Related Devices and
Systems, 13%
Multi-Function Devices,
22%
Data Protection, 4%
Boundary Protection Devices and Systems, 4%
Operating Systems, 1%
 Manufacturers and categories that obtained EAL6
Statistics – Higher EAL manufacturers
1
1
1
2
4
5
6
0 1 2 3 4 5 6 7
Giesecke+Devrient Mobile Security GmbH
CEC Huada Electronic Design Co., Ltd.
THALES
STMicroelectronics
NXP Semiconductors Germany GmbH
SAMSUNG ELECTRONICS INC.
Infineon Technologies AG
 Products uploaded to CC Portal vs products only in CB websites
Statistics – 2022 (9 months)
196
157
39
0
50
100
150
200
250
Total
CCPortal + CBs
CCPortal CB websites only
Product publication sites
 Number of certifications in the last 5 years Will 2022 be the worst year of the
last five?
Statistics – 5 years trend
337 339
363
344
196
0
50
100
150
200
250
300
350
400
 Compliance with EAL or PP of certified products (5 year)
Statistics – 5 years trend
EAL1
1.00%
EAL2
8.77%
EAL3
4.42%
EAL4
19.97%
EAL5
20.90%
EAL6
8.84%
EAL7
0.21%
PP
35.88%
 Certifications per country scheme in the last 5 years
Statistics – 5 year trend
FR
22%
US
20%
DE
10%
CA
3%
JP
12%
ES
3%
NL
14%
SE
6%
NO
1%
KR
3%
MY
1%
TR
1%
IT
2%
SG
1%
 Evolution of top 5 laboratories
Statistics – 5 year trend
14
44
27
24
32
22
18
20
28
23
51
32
27
22
28
56
33
35
18
16
34
24
14
15
7
0 20 40 60 80 100 120 140 160 180
BRIGHTSIGHT (*)
CEA - LETI (FR)
TÜV (DE/JP)
SERMA (FR)
GOSSAMER (US)
2018 2019 2020 2021 2022
 Evolution of top product categories (five years)
Statistics – 5 year trend
2
12
10
8
7
9 13
17
8
7
120
95
144
134
68
4
11
8
11 8
38
50
47
59
36
34
24 23
48
21
7
10
8
11 10
0
20
40
60
80
100
120
140
160
2018 2019 2020 2021 2022
Boundary Protection Devices and Systems Data protection ICs, Smart Cards and Smart Card-Related Devices and Systems
Mobility Multi-Function Devices Network and Network-Related Devices and Systems
Products for Digital Signatures
Pessimistic global numbers and changes in top 10
 2022 will probably end with much lower numbers than 2021 (286 by
ICCC21, 344 at the end of the year)
 The top certifying schemes: US had the biggest drop; Other countries
have slightly lower numbers than in 2021.
 Except for #1 lab, there have been many variations within the top 10
of laboratories. 2 French labs are back in the top 3.
 Smartcards and Hardcopy devices were the most certified categories.
 Top #5 vendors are almost smartcard and Security IC vendors. Several
ICs were certified using EAL6+.
Why has the number of certifications dropped?
 Raise of other certifications in Europe
 National lightweight certifications are swifter;
 Vendors waiting for EUCC to be a reality.
 The industry trend is cloud-based. Cloud-vendors demand
certifications.
 The shadow of COVID pandemics: developments started in
2020/21 were certified on 2021/22; however, other products
were never finished due to the pandemics.
 2022 will be a negative year, after two remarkable ones.
jtsec Beyond IT Security
Granada & Madrid – Spain
hello@jtsec.es
@jtsecES
www.jtsec.es
Contact
“Any fool can make something complicated. It takes a
genius to make it simple.”
Woody Guthrie

More Related Content

Similar to 2022 CC Statistics report: will this year beat last year's record number of certifications?

INGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and SteelINGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and Steel
Chetan Anand Aulla
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
Javier Tallón
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
FIDO Alliance
 
The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14
Shane Coughlan
 
The Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROIThe Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROI
Perry Lea
 
IRJET - Food Supply Chain Management using Blockchain in Food Traceability
IRJET - Food Supply Chain Management using Blockchain in Food TraceabilityIRJET - Food Supply Chain Management using Blockchain in Food Traceability
IRJET - Food Supply Chain Management using Blockchain in Food Traceability
IRJET Journal
 
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
IJNSA Journal
 
Digital twins and New Business Models
Digital twins and New Business ModelsDigital twins and New Business Models
Digital twins and New Business Models
Roberto Siagri
 
10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...
IJITCA Journal
 
10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...
IJITCA Journal
 
Internet of Things: Connected Devices Enabling Energy Management
Internet of Things: Connected Devices Enabling Energy ManagementInternet of Things: Connected Devices Enabling Energy Management
Internet of Things: Connected Devices Enabling Energy Management
Enercare Inc.
 
Enea Capital Markets Day 2019
Enea Capital Markets Day 2019Enea Capital Markets Day 2019
Enea Capital Markets Day 2019
Enea Software AB
 
Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...
Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...
Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...
CTOBuddy.com
 
8th International Conference on Advanced Computing (ADCO 2021)
8th International Conference on Advanced Computing (ADCO 2021)8th International Conference on Advanced Computing (ADCO 2021)
8th International Conference on Advanced Computing (ADCO 2021)
ijac123
 
8 th International Conference on Advanced Computing (ADCO 2021)
8 th International Conference on Advanced Computing (ADCO 2021)8 th International Conference on Advanced Computing (ADCO 2021)
8 th International Conference on Advanced Computing (ADCO 2021)
ijcsity
 
le-emerging-tech-roadmap-2021-2023.pdf
le-emerging-tech-roadmap-2021-2023.pdfle-emerging-tech-roadmap-2021-2023.pdf
le-emerging-tech-roadmap-2021-2023.pdf
SigitDarmawan3
 
Product Engineering Services Trends Q2
Product Engineering Services Trends Q2Product Engineering Services Trends Q2
Product Engineering Services Trends Q2
Zinnov
 
Call for papers - 9th International Conference on Cybernetics & Informatics (...
Call for papers - 9th International Conference on Cybernetics & Informatics (...Call for papers - 9th International Conference on Cybernetics & Informatics (...
Call for papers - 9th International Conference on Cybernetics & Informatics (...
IJITCA Journal
 
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
ijdms
 
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
dannyijwest
 

Similar to 2022 CC Statistics report: will this year beat last year's record number of certifications? (20)

INGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and SteelINGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and Steel
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
 
The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14
 
The Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROIThe Internet of Things - beyond the hype and towards ROI
The Internet of Things - beyond the hype and towards ROI
 
IRJET - Food Supply Chain Management using Blockchain in Food Traceability
IRJET - Food Supply Chain Management using Blockchain in Food TraceabilityIRJET - Food Supply Chain Management using Blockchain in Food Traceability
IRJET - Food Supply Chain Management using Blockchain in Food Traceability
 
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
 
Digital twins and New Business Models
Digital twins and New Business ModelsDigital twins and New Business Models
Digital twins and New Business Models
 
10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...
 
10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...10th International Conference on Control, Modelling, Computing and Applicatio...
10th International Conference on Control, Modelling, Computing and Applicatio...
 
Internet of Things: Connected Devices Enabling Energy Management
Internet of Things: Connected Devices Enabling Energy ManagementInternet of Things: Connected Devices Enabling Energy Management
Internet of Things: Connected Devices Enabling Energy Management
 
Enea Capital Markets Day 2019
Enea Capital Markets Day 2019Enea Capital Markets Day 2019
Enea Capital Markets Day 2019
 
Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...
Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...
Revolutionize your business with the Industrial Internet of Things ( IIoT) - ...
 
8th International Conference on Advanced Computing (ADCO 2021)
8th International Conference on Advanced Computing (ADCO 2021)8th International Conference on Advanced Computing (ADCO 2021)
8th International Conference on Advanced Computing (ADCO 2021)
 
8 th International Conference on Advanced Computing (ADCO 2021)
8 th International Conference on Advanced Computing (ADCO 2021)8 th International Conference on Advanced Computing (ADCO 2021)
8 th International Conference on Advanced Computing (ADCO 2021)
 
le-emerging-tech-roadmap-2021-2023.pdf
le-emerging-tech-roadmap-2021-2023.pdfle-emerging-tech-roadmap-2021-2023.pdf
le-emerging-tech-roadmap-2021-2023.pdf
 
Product Engineering Services Trends Q2
Product Engineering Services Trends Q2Product Engineering Services Trends Q2
Product Engineering Services Trends Q2
 
Call for papers - 9th International Conference on Cybernetics & Informatics (...
Call for papers - 9th International Conference on Cybernetics & Informatics (...Call for papers - 9th International Conference on Cybernetics & Informatics (...
Call for papers - 9th International Conference on Cybernetics & Informatics (...
 
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
 
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
Call for Papers - 4th International Conference on Internet of Things (CIoT 2022)
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
 

Recently uploaded

What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 

Recently uploaded (20)

What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 

2022 CC Statistics report: will this year beat last year's record number of certifications?

  • 1.
  • 2.  CC data collection with CCScraper  CC statistics for 2022  CC Statistics for 5 years  Conclusions Contents
  • 3.  José Manuel Pulido:  Lead Cybersecurity Consultant and Senior Cybersecurity Evaluator at jtsec  Common Criteria expert  CCToolbox developer  More than 10 years of experience in cybersecurity technologies  Speaker at several conferences including ICCC20 and ICCC21 About me  Cybersecurity evaluation & consultancy services  Common Criteria, LINCE and ETSI EN 303 645 accredited lab.  Developers of the most powerful tool for Common Criteria, CCToolbox.  Involved in standardization activities (ISO, CEN/CENELEC, ISCI WGs, ENISA CSA WGs, CCUF, CMUF, ERNCIP, …)  Members of the SCCG (Stakeholder Cybersecurity Certification Group) About us
  • 4.
  • 5.  Web scraper written in Python. Created in 2018 by jtsec.  CCScraper collects data about certified products from commoncriteriaportal.org and from the websites of the Certification Bodies.  Tons of interesting data collected: date of certification, EAL, PP, Product Category, certification lab, etc. and even SFRs used or technical terms in the ST!  Data is interpreted and organized / merged into a list of unique certified products. We generate the statistics from that data.  We don’t generate statistics of site certifications (yet). What is CCScraper
  • 6.  CCScraper v1.0 was first presented here in the ICCC in 2018.  Only data from commoncriteriaportal.org was collected.  CCScraper v2.0 was presented in ICCC 2019.  Main feature: add information from CB websites and merge into unique products  CCcraper v2.1 was presented in ICCC 2020, with mainly efficiency improvements and email alerts.  CCScraper v2.2 was presented in ICCC 2021, with improvements in CB website parsers and detection of false duplicates.  This year we present CCScraper v2.3 with some upgrades for ICCC 2021.  Stability improvements parsing NIAP website.  German language support in parsing BSI website.  IPA scraper was completely rewritten due to changes in the website. CCScraper history
  • 7.  With the statistics generated, we publish CC statistics reports in jtsec webpage, at least once per year. CCscraper reports  https://www.jtsec.es/blog-entry/44/common-criteria- statistics-report-for-2019  https://www.jtsec.es/blog-entry/85/common-criteria- statistics-report-for-2020  https://www.jtsec.es/blog-entry/106/common-criteria- statistics-report-for-2021
  • 8.
  • 9. Statistics – 2022 (9 months)  196 products certified during 2022 (data until 30/09/2022) 55 64 77 0 10 20 30 40 50 60 70 80 90 2022 Q3 2022 Q2 2022 Q1
  • 10.  Top certifier schemes in 2022 Statistics – 2022 (9 months) 44 36 28 20 18 14 12 6 5 5 4 2 1 1 0 5 10 15 20 25 30 35 40 45 50 FR NL JP DE US SE ES IT CA SG KR AU IN NO 2022
  • 11. Statistics – 2022 (9 months)  The top 2 schemes add up to 40% of the certifications! FR 22% NL 18% JP 14% DE 10% US 9% SE 7% ES 6% IT 3% CA 3% SG 3% KR 2% AU 1% IN 1% NO 1%
  • 12.  Certified products compliance in 2022 Statistics – 2022 (9 months) EAL1 1.03% EAL2 10.31% EAL3 7.73% EAL4 29.38% EAL5 12.89% EAL6 9.79% PP 28.87% 1 12 7 21 12 2 0 22 1 6 4 21 9 7 0 15 0 2 4 15 4 10 0 19 0 10 20 30 40 50 60 EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 PP 2022 Q1 2022 Q2 2022 Q3
  • 13.  Product assurance level per country during 2022 Statistics – 2022 (9 months) 0 4 0 0 0 0 0 24 0 0 0 0 0 0 0 18 0 0 5 8 0 7 0 0 0 2 3 18 15 6 0 0 0 3 1 6 2 0 0 0 2 8 4 4 0 0 0 14 0 2 2 17 8 6 0 0 0 5 10 15 20 25 30 EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 PP Assurance Level Per Country JP US DE FR ES Others NL
  • 14.  Top 10 Laboratories (2022) Statistics – 2022 (9 months) 6 7 7 13 14 14 14 15 24 34 0 5 10 15 20 25 30 35 40 DEKRA (ES) GOSSAMER (US) APPLUS (ES) ATSEC (*) ITSC (JP) TÜV (DE/JP) ECSEC SERMA (FR) CEA - LETI (FR) BRIGHTSIGHT (*)
  • 15. Statistics – 2022 (9 months)  Protection Profile certifications With PP 81% Without PP 19% Certifications with Protection Profiles in 2022 28.10% 35.29% 32.68% 11.76% 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00% Security IC Platform Protection Profile Protection Profile for Hardcopy Devices Protection Profile for Network Devices Machine Readable Travel Document 2022
  • 16. Statistics – 2022 (9 months)  PP and cPP compliant certifications in 2022 Collaborative PPs 44% Non-Collaborative PPs 56% Collaborative PPs vs Non - Collaborative PPs Network Devices 67% Stateful Traffic Filter Firewalls 15% Full Drive Encryption 3% Network Devices + Stateful Traffic Filter Firewalls 15% Certifications using CPPs
  • 17. 14 12 11 11 10 0 2 4 6 8 10 12 14 16  Top 5 manufacturers of certified products (2022) Statistics – 2022 (9 months) = +1 New -2 New
  • 18.  Top product categories (2022) and their evolution Statistics – 2022 (9 months) ICs, Smart Cards and Smart Card-Related Devices and Systems, 42% Other Devices and Systems, 14% Network and Network- Related Devices and Systems, 13% Multi-Function Devices, 22% Data Protection, 4% Boundary Protection Devices and Systems, 4% Operating Systems, 1%
  • 19.  Manufacturers and categories that obtained EAL6 Statistics – Higher EAL manufacturers 1 1 1 2 4 5 6 0 1 2 3 4 5 6 7 Giesecke+Devrient Mobile Security GmbH CEC Huada Electronic Design Co., Ltd. THALES STMicroelectronics NXP Semiconductors Germany GmbH SAMSUNG ELECTRONICS INC. Infineon Technologies AG
  • 20.  Products uploaded to CC Portal vs products only in CB websites Statistics – 2022 (9 months) 196 157 39 0 50 100 150 200 250 Total CCPortal + CBs CCPortal CB websites only Product publication sites
  • 21.
  • 22.  Number of certifications in the last 5 years Will 2022 be the worst year of the last five? Statistics – 5 years trend 337 339 363 344 196 0 50 100 150 200 250 300 350 400
  • 23.  Compliance with EAL or PP of certified products (5 year) Statistics – 5 years trend EAL1 1.00% EAL2 8.77% EAL3 4.42% EAL4 19.97% EAL5 20.90% EAL6 8.84% EAL7 0.21% PP 35.88%
  • 24.  Certifications per country scheme in the last 5 years Statistics – 5 year trend FR 22% US 20% DE 10% CA 3% JP 12% ES 3% NL 14% SE 6% NO 1% KR 3% MY 1% TR 1% IT 2% SG 1%
  • 25.  Evolution of top 5 laboratories Statistics – 5 year trend 14 44 27 24 32 22 18 20 28 23 51 32 27 22 28 56 33 35 18 16 34 24 14 15 7 0 20 40 60 80 100 120 140 160 180 BRIGHTSIGHT (*) CEA - LETI (FR) TÜV (DE/JP) SERMA (FR) GOSSAMER (US) 2018 2019 2020 2021 2022
  • 26.  Evolution of top product categories (five years) Statistics – 5 year trend 2 12 10 8 7 9 13 17 8 7 120 95 144 134 68 4 11 8 11 8 38 50 47 59 36 34 24 23 48 21 7 10 8 11 10 0 20 40 60 80 100 120 140 160 2018 2019 2020 2021 2022 Boundary Protection Devices and Systems Data protection ICs, Smart Cards and Smart Card-Related Devices and Systems Mobility Multi-Function Devices Network and Network-Related Devices and Systems Products for Digital Signatures
  • 27.
  • 28. Pessimistic global numbers and changes in top 10  2022 will probably end with much lower numbers than 2021 (286 by ICCC21, 344 at the end of the year)  The top certifying schemes: US had the biggest drop; Other countries have slightly lower numbers than in 2021.  Except for #1 lab, there have been many variations within the top 10 of laboratories. 2 French labs are back in the top 3.  Smartcards and Hardcopy devices were the most certified categories.  Top #5 vendors are almost smartcard and Security IC vendors. Several ICs were certified using EAL6+.
  • 29. Why has the number of certifications dropped?  Raise of other certifications in Europe  National lightweight certifications are swifter;  Vendors waiting for EUCC to be a reality.  The industry trend is cloud-based. Cloud-vendors demand certifications.  The shadow of COVID pandemics: developments started in 2020/21 were certified on 2021/22; however, other products were never finished due to the pandemics.  2022 will be a negative year, after two remarkable ones.
  • 30. jtsec Beyond IT Security Granada & Madrid – Spain hello@jtsec.es @jtsecES www.jtsec.es Contact “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie

Editor's Notes

  1. Hello ICCC 22 My name is Jose Pulido, and today I am here to present to you the statistics of the Common Criteria certification industry of the current year. I am very happy to be a speaker one more year in this Common Criteria Conference; it’s an honor, so thanks a lot for having me here.
  2. In this presentation, we’ll first speak about CCscrapper tool, that we use to collect data about CC certifications. AND then we will see and analyze statistics from the current year and from the last five years. Finally, after showing the numbers, we will analyze them and will try to draw conclusions in order to explain the yearly numbers.
  3. Let me briefly present myself: I’m José Manuel Pulido, currently Lead Cybersecurity Consultant at jtsec. I have been involved in the Common Criteria, cybersecurity in general and development of tools for CC professionals for several years. And I also have participated in various conferences, being this my third year in ICCC. The statistics that I Will present to you today, and the tools used to create them are elaborated in jtsec, an accredited CC laboratory, deeply involved in various standardization groups related to cybersecurity certification as you can see in this slide. If you want to know more about us, ou are welcome to check this slide or the jtsec website after the talk if you want to know more about us.
  4. Let’s start with a brief presentation of CCScraper tool.
  5. CCScraper is a script written in Python language that collects data from two principal sources: The main source is the list of certified products in commoncriteriaportal.org The second source is each of the websites of each National Certification Body, that produces and publishes Common Criteria certificates. From these two sources, the scraper collects and gather all the relevant data for each certified product: date of certification, assurance level, Protection Profile, product category, certification laboratory… and much more. The data is interpreted and put together into a list of unique certified products. From this data, we are able to generate several statistics. Today we will look and analyze some interesting ones.
  6. The first version of CCScraper was first presented here in the ICCC in 2018. We were very excited then to share the result of this work with the CC community… and I think we didn’t disappoint them. The second version, was presented in ICCC 2019 and it incorporated a new powerful feature: it started to collect data from websites of National Certification Bodies, and correlated it with the data com Commoncriteriaportal.org. Since then, statistics are much more complete and reliable. In 2020 and 2021 we presented minor versions that included efficiency improvements and stability fixes. Almost every year we need to update the scraper due to changes in the structure of the Certification Body websites. This year, we present CCScraper version “TWO DOT THREE”, with stability fixes in order to be able to parse NIAP site, and also support for German-language texts in BSI website. Regarding the Japanese CB website, there were many changes in the structure, so we had to completely rewrite the scraper code for this site.
  7. As always, we are glad to remind you that the statistics generated thanks to CCscrapper are put together into a report, at least once a year. We regularly publish it in JTSEC blog, so, please, feel free to check it and download the statistics for every year. For 2022, we’ll publish the final report with the statistics of the full year at the begining of the next year. So, please, Stay tuned!
  8. Now, let’s present the statistics that we created from the data collected by CCScraper this year
  9. CCScraper was run on the 30th " -thirtieth” of September of this year. Therefore, the data collected and used for these statistics corresponds to the the three first quarters of 2022. The total number of certifications during 2022 until end of September been one hundred and ninety six. The number of certifications has been decreasing as the quarters of the year have progressed. The same chart in 2021 <<<AT THE END OF SEPTEMBER>> showed 286 –two hundred and eighty six- certifications in the three first quarters, this is, ninety less certifications compared to last year. So, the first thing that we can observe is a huge difference and much lower numbers in comparison with last year.
  10. GRAN CAIDA DE US CON RESPECTO AL AÑO PASADO One of the most valuable statistics that we have been able to collect using CCScraper is the ranking of certifications per scheme during 2022. The numbers indicate that France is the champion with 44 certifications Netherlands is in the second place, repeating the lasts year’s position with 36. Japan raised to be in the top-3 with 28 certifications, last year was in the fifth place. Japan has increased 11 positions in the last two years. Germany falls one position, missing out on the podium. US is for the first time out of the podium, dropping to the fifth place. Sweden and Spain have raised one position compared to last year. For Spain, we hope that at the end of the year, jtsec will be in the list of labs that contribute to the statistic. Then, with less than TEN certifications we find Italy, Korea, Malaysia, Australia, Turkey and India, Singapore, and, surprisingly, Canada.
  11. If we look at percentage of certifications per scheme, the top two certifying schemes (Netherlands and France) are quite far from the rest occupy forty per cent of the total number of certifications. If we add Japan, the bronze medal this year, the top three add up to 54% (fifty four percent) of the total statistic. Other countries like Germany, US, Sweden are following with some distance. Spain is in the number 7. We are happy about this statistic, because it surpasses countries such as Italy or Canada and is close to countries such as Sweden, historically more prominent.
  12. If we take a look at the relative number of certifications for each assurance level or Protection Profile compliant certifications, PP-compliant certifications used to be the most common case in previous years, but this year EAL 4 has surpassed it. This year just 56 (fifty six) certifications have been done under a PP and 139 (one hundred and thirty nine) under an EAL. The main reason we believe this change has occurred is because of the significant decline in certifications in the US and Canada, the main countries where PPs are used. Regarding EALs, EAL 4 with fifty seven (57) is the most used one, followed by EAL 5, with (twenty five), and EAL6 with 19. As we can see, high assurance levels (EAL 4 to EAL 7) have predominated this year. In lower assurance, EAL2 was the most common, with 20 certifications. EAL1, this year, has just 2 certifications. There are no products certified with EAL 7 during this year.
  13. This particular statistic shows which assurance levels were the most used in the top certifying countries. We see a big change this year: usually United States is the country that certifies more products using PP-compliant evaluations. This year, Japan has taken the lead. Later in this presentation, we we’ll see why. US continues to use exclusively NIAP PPs, as it is mandatory for this scheme, In High assurance certifications, Frances is in the top #1 counting from EAL4 to EAL6 with 39 certifications. Netherlands had also good numbers in high assurance certifications with 31 and Germany is quite far with 15. The reason is the same as almost every year: the consolidated industry of smartcard and secure IC certifications, which keep growing. This year we also see several EAL6 certifications, due to Smartcards and ICs being certified using PP0084 augmented to EAL6.
  14. If we take a look to top 10 laboratories in 2022, Brightsight has been the laboratory with the highest number of certifications performed, with thirty four, repeating the first place this year. It is followed so far by CEA-Leti, with 24 certifications. The bronze medal is for SERMA with 15 certifications. The contribution of French labs this year has been outstanding. With 14 certifications we can find ECSEC, TUV and ITSC. After them, we can find ATSEC, APPLUS, Gossamer and DEKRA. Is nice to see two Spanish labs in the top ten.
  15. These charts show that vast majority of the certifications this year were protection profile - compliant, exactly eighty one percent, 7 per cent more than last year. We can definitively say that use of PPs has settled in the certification industry and it seems that this trend is here to stay. In the chart on the right, you will find the most used protection profiles in 2022. The most used PP during this year was the collaborative Protection Profile for Hardcopy Devices with more than thirty two per cent If you where wondering why Japan had so many certifications this year… this is due to a high number of certifications to hardcopy devices such as multifunction printers. Very close, in the third place, we can find Protection Profile for Network Devices, which is very popular every year. The Security IC Platform Protection Profiles goes down to the third place with more than twenty eight per cent, still it is the most used for high-assurance certifications. The Protection Profile for The Machine Readable Travel Document is one more year in the top four, as usual.
  16. We also collected information about the use of collaborative protection profiles. In 2022, 44% of the Protection Profiles used were collaborative PPs . If we take a look at the second pie chart, we will we see which cPPs have been the most used ones. The winner is of course the cPP for Network devices, with a huge difference over the second. This cPP, as most years, is the most popular. The second one is the Stateful Traffic Filter Firewalls cPP with fifteen percent, tied up with Network devices + Stateful Traffic Filter Firewalls The Full Drive Encryption reached only a 3% this year.
  17. And this year, of course, we also have the ranking of the top 5 manufacturers of Common Criteria certified products. We have to congratulate the winners again. The first position belongs to Thales, which was out of the podium last year. They are in the top #1 with 14 certifications. NXP is the second, following with 12 certifications, one more than the previous year. Samsung goes down two positions and ties with Infineon with 11 certifications. Huawei come up this year on the top 5 with 10 certifications. 3 out of five vendors repeated in the top five this years. IDEMIA (the fifth one last year) and CISCO (second place last year) are in 2022 out of the top 5. A curious data: in 2021, the top five vendors added up to SEVENTY FIVE 75 percent total certifications, but this year they only reach a total of 31 percent certifications. This means that this year, the protagonism has been spread over more diverse vendors.
  18. Another interesting statistic that we collected is: the product categories with more certifications. Just one note: we work with data categories defined in the commoncriteriaportal.org website, and those are listed in this pie chart. The top category in 2022 is the Integrated circuits, and smart cards. This is consistent with the third most used protection profile that we saw earlier. In the second place we can find Multi-Function Devices which agrees with the Protection Profile for Hardcopy Devices, the most used one this year. We need to say that vendors of multi-function devices don’t appear in the top vendor statistics. The reason is simple: there are many vendors of this type of device certifying few products each, such as Konica Minolta, Kyoicera, HP, Fujifilm, Toshiba, Ricoh, Canon… In the same way, network and network related devices category, has also good relative numbers, with twelve percent, many of them using the Network Devices cPP. Data-protection, operating systems and boundary protection devices were also very frequent.
  19. If you remember, we spoke before about highest assurance levels, which are not so common but there is a significant number this year. Of course, it is interesting to learn which vendors certified those products, and which product categories. As we said before, no EAL 7 certifications have been carried out, so we will show EAL 6 with 20 certifications. Infineon is the leader with 6 certifications, in the second place we find Samsung with 5, FOLLOWED BY NXP with 4. In 2021 the podium was the same but Samsung was the first, NXP second and Infineon third. STM is in the fourth place with two certification and Thales, Huawei, CEC HUADA and Giesecke are tied with one. All of them are certified as ICs, Smart Cards and Smart Card-Related Devices and Systems, using the regular PP augmented to EAL6. Congratulations!
  20. As collectors of CC certification data, this statistic is specially INTERSESTING to us. Since the first executions of the scraper, we noticed that not all the certified products are uploaded to commoncriteriaportal, some of them are published just in its National CB website. 39 were collected only from the CB websites… This chart shows that, from 196 (one hundred and ninety six) products certified in 2022, - one hundred and fifty-seven of them are published in Common Criteria Portal. - But thirty nine products are published only to the website of the certification body. This means an EIGHTY percent 80% of total certified products are uploaded to commoncriteria portal. It is a great number, but… it’s not 100%. We encourage CBs to keep the good work and upload their certifications to the CC Porta
  21. After presenting the statistics from 2022, now we Will show some interesting statistics and numbers for the last five years. This Will help us to verify if 2022 has presented deviations in the CC industry in relation with the previous years.
  22. If we look at the number of certifications per year,. We can see a stable trend with great number of certifications in the previous four years. 2021 ended with more certifications than 2018 and 2019, but with less than 2020. However, in the first 9 months of 2022, there are one hundred and forty eight less certifications than In 2021. We may see some increase at the end of the year, but it will be unlikely to catch up with or exceed the previous year's numbers These numbers are not promising and it may end up being the worst year in the last five. However, we said the same thing in October last year and it ended up being a great year, so let’s see how it ends…
  23. Regarding compliance of certified products, During the last five years, thirty five percent of the certifications WERE PP-COMPLIANT. This is the greatest percentage of all, and it goes in the same line as the data for 2021. After that, (I ei el )EAL5 was the most used assurance level, with more than 20 percent closely followed by EAL4, so we can confirm that the industry is demanding high assurance evaluations and. In low assurance, EAL2 has been the most frequent. Another interesting data: in the last five years, EAL6 certifications have surpassed the number of EAL1 EAL3 certifications together, and has almost tie with EAL2.
  24. If we analyze the relative number of certifications per scheme in the last five years we see some interesting information. In the 5 years statistic, we can find that France and US are the top producers of certifications. They have more than 20% each. The third, fourth and fifth positions are more contested and have changed in the couple of last years. Netherlands has consistently settled in the fourth place with 14% of the certification, Japan (with 12%) has overtaken Germany and is in the fourth place (with 10%). Sweden is in the sixth place and Spain, Canada and Korea tie with 3%. Italy completes the top 10, but Singapore is pushing. Australia and India don’t appear in this graph, but they have 7 and 6 certifications respectively.
  25. This chart shows the evolution of the top-five laboratories since 2018 (two thousand and eighteen). Brighsight is the leader and it has been increasing its numbers year after year, although this year was not so good for them as the previous two years. CEA-LETI is in the second place, and the accumulated numbers for 5 years are close to Brighsight’s. TUV is in the third place and SERMA, and GOSSAMER are following the podium, not so far. As we can see, the number of certifications this year is considerably lower in all the labs, and we don’t see labs where the numbers haven’t been impacted. If we look at the evolution, in 5 years, the common trend is clear: the number of certifications decreased in 2021 (with some exceptions) and has decreased even more in 2022…. Following the decaying trend for this year.
  26. Another interesting statistic is the evolution of the top-5 categories of certified products. It seems that the certifications of ICS, smartcards and similar devices –in red- DECAYED last year and have decayed even more this year. And it is still the category with the highest number of certifications. Multi – function devices category is in the second place and Network Devices and Systems are in the third place, far from the second Products for Digital Signatures seems to achieve similar figures this year Mobility appears in the top 5 the last five years. Boundary and Data protection are dropping since 2020
  27. So… you may wonder…. Which conclusions may we draw from all of these statistics for the current year?
  28. The most important highlight for this year’s statistic is the really low global number of certifications. The numbers that we have seen in the CC certification industry this year are not promising at all. At the end of September of 2021 there were 286 (TWO HUNDRED AND EIGHTY SIX) certified products, versus 196 (one hundred and ninety six) in this year. This means 90 less products in September. And, if we look at the end-of-year horizon 2021 ended with 335 (three hundred and thirty five) certifications. We don’t really believe that the numbers at the end of this year will come even close of the last year’s numbers. The reason is that it would require 148 more certifications before the end of the year. If we look individually at each country, US had a big drop in certifications, something that we had not seen in statistics of previous years. We can say that it’s the country most affected by the global drop, and there is no doubt that it has affected the statistics globally. Regarding laboratories, the top #1 laboratory didn’t change but, the rest of the top five presented various changes. This year, the French laboratories are back with a lot of presence in the ranking. As per products, Smartcards and hardcopy and multifunction devices were the most certified categories. Smartcards are one more year on the top. This was reflected in the top 5 of vendors: almost all of them were smart card manufacturers, with several high assurance certifications, including many EAL6.
  29. After summarizing the numbers, we definitely need to wonder why the global numbers of the CC industry have dropped so low. Again, this is one of the biggest drop that we have seen since we started collecting statistics. We have analyzed the situation and we can share some ideas with you. We believe there are some main factors affecting the CC certification industry: ONE is the raise of other certifications that respond to market needs. We can mention, as an example, the lightweight certifications that are conducted in national schemes. Examples: LINCE, CSPN, BSPZ, or BSPA. For sure, lightweight certifications don’t work for every possible scenario, such as high assurance required by smartcards. But, for other type of products they are enough, they are cheaper, and they are faster. We could also mention the upcoming EUCC certification: the European Common Criteria. Our hypothesis is that some vendors could be waiting for this standard to jump into the market, and they don’t want to spend resources on costly CC certifications, until then. We need to wait and see if, when EUCC becomes a reality, the numbers of CC keep being impacted. Of course, we can’t skip mentioning the necessity for cloud certifications. There is an awkward reality in this industry: there is zero support for cloud-based TOEs. Some work is being done to solve this but, as per today, there is no possibility of CC certifications for cloud based products. And, coincidently, the number of cloud products released is higher with each passing year. The market evolves to a cloud-based paradigm, and CC should evolve as well. And, how not? The shadow of the COVID pandemic still hovers over the CC industry. In 2020 and 2021 we saw significant impact but, at the end of these years, the numbers somehow raised and ended up well. We had discussed the impact of the pandemics in the industry previous years but… in 2022 we thought the situation was already coming to and end and that the industry wouldn’t be so affected. Well, we have also analyzed the situation and there could be some factors here: Some developments were started, before the pandemics, and they were certified on 2021 or 2022. This is, maybe, why the numbers of the last two years were not so impacted. But, those product developments that were started during the pandemic, many of them were stopped or discontinued, and they were never finished or certified. We think this is reflected in this year’s numbers. This is our humble view of the situation. Either if you agree or not, we are happy to hear your opinions and discuss with you. But, the uncontestable reality is shown by the numbers, and 2022 is being, and will be, a year with not so good numbers.
  30. Thank you very much for your attention. If you want to ask any question, please feel free. If you think of any other interesting statistic to generate, or if you think some numbers are not accurate, please contact us and we will take your feedback into account to improve. THANK YOU.