SlideShare a Scribd company logo

Russian IT Security Certification Scheme Steps Toward Common Criteria

Download as PPTX, PDF
A
Alexander Barabanov

Presentation from International Common Criteria Conference-2014

Presentations & Public Speaking
1 of 25
Russian IT Security Certification Scheme: Steps Toward Common Criteria Approach Alexander Barabanov, Alexey Markov, Valentin Tsirlov
Agenda 2  Brief overview  Current status of the Russian IT Security Certification Scheme  Steps Toward Common Criteria Approach  Final Remarks
Brief overview: Historical Perspective requirements for antiviruses (based on CC) 3 Establishment of Russian IT Security Certification Scheme 1995 1997 Mandatory requirements for firewall and access control systems 1999 2003 Guidance based on CC v.2.1 Mandatory Mandatory requirements for IPS/IDS (based on CC) Mandatory requirements for source code analysis 2012 2013
Brief overview: who takes part in the certification process? 4
Brief overview: typical timeline 5 Obtaining FSTEC ID Normally 1 month Evaluation provided by Laboratory 3-4 months Certification by Certification Body 1 month and more – there may be delays: - for solutions that will be used for protection of classified information; - If a state-owned Certification authority was chosen by FSTEC Obtaining a certificate from FSTEC of Russia Normally 1 month
Brief overview: Accredited Evaluation Laboratories 6
Brief overview: Accredited Certification Bodies 7
Brief overview: Classical Major Approaches to Evaluation 8 Evaluation of the security functionality • Black box testing to ensure that TOE works as it should Evaluation for the absence of non-declared functions • Testing of source code for the absence of software vulnerabilities
Current status of the Russian Scheme: Products 9
Current status of the Russian Scheme: Certified Products by Types (1) 10 2011-2013 Evaluation Timeline
Current status of the Russian Scheme: Certified Products by Types (2) 11
Current status of the Russian Scheme: Russian vs. Non-Russian Developers 12
Current status of the Russian Scheme: Non-Russian Developers (1) 13 13
Current status of the Russian Scheme: Non-Russian Developers (2) 2011-2013 Evaluation Timeline 14
Current status of the Russian Scheme: Russian Developers 2011-2013 Evaluation Timeline 15
Steps Toward Common Criteria Approach: Step #1 (1) 16
Steps Toward Common Criteria Approach: Step #1 (2) 17
Steps Toward Common Criteria Approach: Step #1 (3) 2003-2013 Evaluation Timeline 18
Steps Toward Common Criteria Approach: Step #2 (1) 19
Steps Toward Common Criteria Approach: Step #2 (2) 20
Steps Toward Common Criteria Approach: Certified Products, Russian 21 TOE Developer Approved PP Kaspersky Endpoint Security Kaspersky Lab. Host IDS, Antivirus, Security Level 2 Kaspersky Antivirus for Novell NetWare Kaspersky Lab. Antivirus, Security Level 2 Security Studio Endpoint Protection Security Code Host IDS, Antivirus, Security Level 4 (~ EAL3+) Kaspersky Security Center Kaspersky Lab. Antivirus, Security Level 2 Continent 3.7 Security Code Network IDS, Security Level 3
Steps Toward Common Criteria Approach: Certified Products, Non-Russian 22 TOE Developer Approved PP Deep Security 8.0 Trend Micro Host IDS, Antivirus, Security Level 4 (~ EAL3+) McAfee NSP 7.1 McAfee Network IDS, Security Level 5 (~ EAL2+) Office Scan 10.6 Trend Micro Host IDS, Antivirus, Security Level 4 (~ EAL3+) McAfee Web Gateway 7.4 McAfee Antivirus, Security Level 5 (~ EAL2+)
Final Remarks 1. First certifications according to the new requirements are 23 certifications of non-Russian products. 2. More and more leading non-Russian developers provide the Russian Evaluations Laboratories with access to their source code, and this tendency shall be observed in future. 3. Efficiency in detection of vulnerabilities in software submitted for certification will enhance. 4. Russian developers will pay more for certification. 5. The number of actively working Evaluations Laboratories will reduce.
Contact Information 24  Alexander Barabanov, CISSP, CSSLP Head of Certification and Testing Department NPO Echelon ab@cnpo.ru  Alexey Markov, Ph.D, CISSP CEO of NPO Echelon am@cnpo.ru  Valentin Tsirlov, Ph.D, CISSP, CISM Executive Director of NPO Echelon z@cnpo.ru
25 Thank you for your attention!

Recommended

WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...Alexander Barabanov
 
An Application of Test-Driven Development Methodology into the Process of Ha...
An Application of Test-Driven Development Methodology into the Process of Ha... An Application of Test-Driven Development Methodology into the Process of Ha...
An Application of Test-Driven Development Methodology into the Process of Ha...Sergey Staroletov
 
Echelon_Sibcon-2016
Echelon_Sibcon-2016Echelon_Sibcon-2016
Echelon_Sibcon-2016Alexander Barabanov
 
New Testing Standards Are on the Horizon: What Will Be Their Impact?
New Testing Standards Are on the Horizon: What Will Be Their Impact?New Testing Standards Are on the Horizon: What Will Be Their Impact?
New Testing Standards Are on the Horizon: What Will Be Their Impact?TechWell
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
An Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source ProjectsAn Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source ProjectsPavneet Singh Kochhar
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)Sung Kim
 

Recommended

WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...Alexander Barabanov
 
An Application of Test-Driven Development Methodology into the Process of Ha...
An Application of Test-Driven Development Methodology into the Process of Ha... An Application of Test-Driven Development Methodology into the Process of Ha...
An Application of Test-Driven Development Methodology into the Process of Ha...Sergey Staroletov
 
Echelon_Sibcon-2016
Echelon_Sibcon-2016Echelon_Sibcon-2016
Echelon_Sibcon-2016Alexander Barabanov
 
New Testing Standards Are on the Horizon: What Will Be Their Impact?
New Testing Standards Are on the Horizon: What Will Be Their Impact?New Testing Standards Are on the Horizon: What Will Be Their Impact?
New Testing Standards Are on the Horizon: What Will Be Their Impact?TechWell
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
An Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source ProjectsAn Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source ProjectsPavneet Singh Kochhar
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)Sung Kim
 
The Impact of Test Ownership and Team Structure on the Reliability and Effect...
The Impact of Test Ownership and Team Structure on the Reliability and Effect...The Impact of Test Ownership and Team Structure on the Reliability and Effect...
The Impact of Test Ownership and Team Structure on the Reliability and Effect...Kim Herzig
 
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug Prediction
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug PredictionIt's Not a Bug, It's a Feature — How Misclassification Impacts Bug Prediction
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug Predictionsjust
 
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...SAIL_QU
 
Issre2014 test defectprediction
Issre2014 test defectpredictionIssre2014 test defectprediction
Issre2014 test defectpredictionKim Herzig
 
Robustness testing
Robustness testingRobustness testing
Robustness testingCS, NcState
 
Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisDissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisCHOOSE
 
SpecTRM
SpecTRMSpecTRM
SpecTRMCS, NcState
 
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?Can Automated Impact Analysis Technique Help Predicting Decaying Modules?
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?Shinpei Hayashi
 
Levels of testing
Levels of testingLevels of testing
Levels of testingRanjeet Singh
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 
Testy dymne, integracyjne i jednostkowe w Laravel
Testy dymne, integracyjne i jednostkowe w LaravelTesty dymne, integracyjne i jednostkowe w Laravel
Testy dymne, integracyjne i jednostkowe w LaravelLaravel Poland MeetUp
 
Understanding the Rationale for Updating a Function's Comment
Understanding the Rationale for Updating a Function's CommentUnderstanding the Rationale for Updating a Function's Comment
Understanding the Rationale for Updating a Function's CommentSAIL_QU
 
Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Sebastiano Panichella
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfnattamailru
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
GenerationRFID_Corp_2015_02
GenerationRFID_Corp_2015_02GenerationRFID_Corp_2015_02
GenerationRFID_Corp_2015_02Albert Escala
 
Standards for safety and security in avionics
Standards for safety and security in avionicsStandards for safety and security in avionics
Standards for safety and security in avionicsAlessandro Bruni
 
Basic of Software Testing.pptx
Basic of Software Testing.pptxBasic of Software Testing.pptx
Basic of Software Testing.pptxaparna14patil
 
Manual Testing Guide1.pdf
Manual Testing Guide1.pdfManual Testing Guide1.pdf
Manual Testing Guide1.pdfKhushal Chate
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality AssuranceRohana K Amarakoon
 
IRJET- Research Study on Testing Mantle in SDLC
IRJET- Research Study on Testing Mantle in SDLCIRJET- Research Study on Testing Mantle in SDLC
IRJET- Research Study on Testing Mantle in SDLCIRJET Journal
 

More Related Content

What's hot

The Impact of Test Ownership and Team Structure on the Reliability and Effect...
The Impact of Test Ownership and Team Structure on the Reliability and Effect...The Impact of Test Ownership and Team Structure on the Reliability and Effect...
The Impact of Test Ownership and Team Structure on the Reliability and Effect...Kim Herzig
 
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug Prediction
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug PredictionIt's Not a Bug, It's a Feature — How Misclassification Impacts Bug Prediction
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug Predictionsjust
 
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...SAIL_QU
 
Issre2014 test defectprediction
Issre2014 test defectpredictionIssre2014 test defectprediction
Issre2014 test defectpredictionKim Herzig
 
Robustness testing
Robustness testingRobustness testing
Robustness testingCS, NcState
 
Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisDissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisCHOOSE
 
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?Can Automated Impact Analysis Technique Help Predicting Decaying Modules?
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?Shinpei Hayashi
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 
Testy dymne, integracyjne i jednostkowe w Laravel
Testy dymne, integracyjne i jednostkowe w LaravelTesty dymne, integracyjne i jednostkowe w Laravel
Testy dymne, integracyjne i jednostkowe w LaravelLaravel Poland MeetUp
 
Understanding the Rationale for Updating a Function's Comment
Understanding the Rationale for Updating a Function's CommentUnderstanding the Rationale for Updating a Function's Comment
Understanding the Rationale for Updating a Function's CommentSAIL_QU
 

What's hot (13)

The Impact of Test Ownership and Team Structure on the Reliability and Effect...
The Impact of Test Ownership and Team Structure on the Reliability and Effect...The Impact of Test Ownership and Team Structure on the Reliability and Effect...
The Impact of Test Ownership and Team Structure on the Reliability and Effect...
 
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug Prediction
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug PredictionIt's Not a Bug, It's a Feature — How Misclassification Impacts Bug Prediction
It's Not a Bug, It's a Feature — How Misclassification Impacts Bug Prediction
 
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...
Empircal Studies of Performance Bugs & Performance Analysis Approaches for La...
 
Issre2014 test defectprediction
Issre2014 test defectpredictionIssre2014 test defectprediction
Issre2014 test defectprediction
 
Robustness testing
Robustness testingRobustness testing
Robustness testing
 
Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisDissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
 
SpecTRM
SpecTRMSpecTRM
SpecTRM
 
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?Can Automated Impact Analysis Technique Help Predicting Decaying Modules?
Can Automated Impact Analysis Technique Help Predicting Decaying Modules?
 
Levels of testing
Levels of testingLevels of testing
Levels of testing
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
 
Testy dymne, integracyjne i jednostkowe w Laravel
Testy dymne, integracyjne i jednostkowe w LaravelTesty dymne, integracyjne i jednostkowe w Laravel
Testy dymne, integracyjne i jednostkowe w Laravel
 
Understanding the Rationale for Updating a Function's Comment
Understanding the Rationale for Updating a Function's CommentUnderstanding the Rationale for Updating a Function's Comment
Understanding the Rationale for Updating a Function's Comment
 

Similar to Russian IT Security Certification Scheme Steps Toward Common Criteria

Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Sebastiano Panichella
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfnattamailru
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
GenerationRFID_Corp_2015_02
GenerationRFID_Corp_2015_02GenerationRFID_Corp_2015_02
GenerationRFID_Corp_2015_02Albert Escala
 
Standards for safety and security in avionics
Standards for safety and security in avionicsStandards for safety and security in avionics
Standards for safety and security in avionicsAlessandro Bruni
 
Basic of Software Testing.pptx
Basic of Software Testing.pptxBasic of Software Testing.pptx
Basic of Software Testing.pptxaparna14patil
 
Manual Testing Guide1.pdf
Manual Testing Guide1.pdfManual Testing Guide1.pdf
Manual Testing Guide1.pdfKhushal Chate
 
IRJET- Research Study on Testing Mantle in SDLC
IRJET- Research Study on Testing Mantle in SDLCIRJET- Research Study on Testing Mantle in SDLC
IRJET- Research Study on Testing Mantle in SDLCIRJET Journal
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Software development life cycle
Software development life cycleSoftware development life cycle
Software development life cycleA Subbiah
 
Unit 2 Unit Testing
Unit 2 Unit TestingUnit 2 Unit Testing
Unit 2 Unit Testingravikhimani
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Traps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsTraps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsPVS-Studio
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the ProblemsTakanori Suzuki
 
Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)Seapine Software
 
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability MatrixBeyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability MatrixSeapine Software
 

Similar to Russian IT Security Certification Scheme Steps Toward Common Criteria (20)

Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?Would Static Analysis Tools Help Developers with Code Reviews?
Would Static Analysis Tools Help Developers with Code Reviews?
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
GenerationRFID_Corp_2015_02
GenerationRFID_Corp_2015_02GenerationRFID_Corp_2015_02
GenerationRFID_Corp_2015_02
 
Standards for safety and security in avionics
Standards for safety and security in avionicsStandards for safety and security in avionics
Standards for safety and security in avionics
 
Basic of Software Testing.pptx
Basic of Software Testing.pptxBasic of Software Testing.pptx
Basic of Software Testing.pptx
 
Manual Testing Guide1.pdf
Manual Testing Guide1.pdfManual Testing Guide1.pdf
Manual Testing Guide1.pdf
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
IRJET- Research Study on Testing Mantle in SDLC
IRJET- Research Study on Testing Mantle in SDLCIRJET- Research Study on Testing Mantle in SDLC
IRJET- Research Study on Testing Mantle in SDLC
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Software development life cycle
Software development life cycleSoftware development life cycle
Software development life cycle
 
Unit 2 unit testing
Unit 2 unit testingUnit 2 unit testing
Unit 2 unit testing
 
Unit 2 Unit Testing
Unit 2 Unit TestingUnit 2 Unit Testing
Unit 2 Unit Testing
 
00.pdf
00.pdf00.pdf
00.pdf
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Traps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsTraps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit Windows
 
Test-Driven Code Review: An Empirical Study
Test-Driven Code Review: An Empirical StudyTest-Driven Code Review: An Empirical Study
Test-Driven Code Review: An Empirical Study
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
 
Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)Sw qual joint webinar deck (5)
Sw qual joint webinar deck (5)
 
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability MatrixBeyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
Beyond FDA Compliance Webinar: 5 Hidden Benefits of Your Traceability Matrix
 

Recently uploaded

WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfakankshagupta7348026
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 

Recently uploaded (20)

WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 

Russian IT Security Certification Scheme Steps Toward Common Criteria

  • 1. Russian IT Security Certification Scheme: Steps Toward Common Criteria Approach Alexander Barabanov, Alexey Markov, Valentin Tsirlov
  • 2. Agenda 2  Brief overview  Current status of the Russian IT Security Certification Scheme  Steps Toward Common Criteria Approach  Final Remarks
  • 3. Brief overview: Historical Perspective requirements for antiviruses (based on CC) 3 Establishment of Russian IT Security Certification Scheme 1995 1997 Mandatory requirements for firewall and access control systems 1999 2003 Guidance based on CC v.2.1 Mandatory Mandatory requirements for IPS/IDS (based on CC) Mandatory requirements for source code analysis 2012 2013
  • 4. Brief overview: who takes part in the certification process? 4
  • 5. Brief overview: typical timeline 5 Obtaining FSTEC ID Normally 1 month Evaluation provided by Laboratory 3-4 months Certification by Certification Body 1 month and more – there may be delays: - for solutions that will be used for protection of classified information; - If a state-owned Certification authority was chosen by FSTEC Obtaining a certificate from FSTEC of Russia Normally 1 month
  • 6. Brief overview: Accredited Evaluation Laboratories 6
  • 7. Brief overview: Accredited Certification Bodies 7
  • 8. Brief overview: Classical Major Approaches to Evaluation 8 Evaluation of the security functionality • Black box testing to ensure that TOE works as it should Evaluation for the absence of non-declared functions • Testing of source code for the absence of software vulnerabilities
  • 9. Current status of the Russian Scheme: Products 9
  • 10. Current status of the Russian Scheme: Certified Products by Types (1) 10 2011-2013 Evaluation Timeline
  • 11. Current status of the Russian Scheme: Certified Products by Types (2) 11
  • 12. Current status of the Russian Scheme: Russian vs. Non-Russian Developers 12
  • 13. Current status of the Russian Scheme: Non-Russian Developers (1) 13 13
  • 14. Current status of the Russian Scheme: Non-Russian Developers (2) 2011-2013 Evaluation Timeline 14
  • 15. Current status of the Russian Scheme: Russian Developers 2011-2013 Evaluation Timeline 15
  • 16. Steps Toward Common Criteria Approach: Step #1 (1) 16
  • 17. Steps Toward Common Criteria Approach: Step #1 (2) 17
  • 18. Steps Toward Common Criteria Approach: Step #1 (3) 2003-2013 Evaluation Timeline 18
  • 19. Steps Toward Common Criteria Approach: Step #2 (1) 19
  • 20. Steps Toward Common Criteria Approach: Step #2 (2) 20
  • 21. Steps Toward Common Criteria Approach: Certified Products, Russian 21 TOE Developer Approved PP Kaspersky Endpoint Security Kaspersky Lab. Host IDS, Antivirus, Security Level 2 Kaspersky Antivirus for Novell NetWare Kaspersky Lab. Antivirus, Security Level 2 Security Studio Endpoint Protection Security Code Host IDS, Antivirus, Security Level 4 (~ EAL3+) Kaspersky Security Center Kaspersky Lab. Antivirus, Security Level 2 Continent 3.7 Security Code Network IDS, Security Level 3
  • 22. Steps Toward Common Criteria Approach: Certified Products, Non-Russian 22 TOE Developer Approved PP Deep Security 8.0 Trend Micro Host IDS, Antivirus, Security Level 4 (~ EAL3+) McAfee NSP 7.1 McAfee Network IDS, Security Level 5 (~ EAL2+) Office Scan 10.6 Trend Micro Host IDS, Antivirus, Security Level 4 (~ EAL3+) McAfee Web Gateway 7.4 McAfee Antivirus, Security Level 5 (~ EAL2+)
  • 23. Final Remarks 1. First certifications according to the new requirements are 23 certifications of non-Russian products. 2. More and more leading non-Russian developers provide the Russian Evaluations Laboratories with access to their source code, and this tendency shall be observed in future. 3. Efficiency in detection of vulnerabilities in software submitted for certification will enhance. 4. Russian developers will pay more for certification. 5. The number of actively working Evaluations Laboratories will reduce.
  • 24. Contact Information 24  Alexander Barabanov, CISSP, CSSLP Head of Certification and Testing Department NPO Echelon ab@cnpo.ru  Alexey Markov, Ph.D, CISSP CEO of NPO Echelon am@cnpo.ru  Valentin Tsirlov, Ph.D, CISSP, CISM Executive Director of NPO Echelon z@cnpo.ru
  • 25. 25 Thank you for your attention!