SlideShare a Scribd company logo

EUCA22 - Patch Management ISO_IEC 15408 & 18045

Download as PPTX, PDF
Javier Tallón
Javier Tallón

Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.

Technology
1 of 26
Patch Management for ISO/IEC 15408 / Common Criteria Javier Tallón, jtsec Sebastian Fritsch, secuvera 2022 International Conference on the EU Cybersecurity Act 25.05.2022
• Overview – Patch problem description – ISO/IEC TS 9569: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045 • Concept • Practical considerations – Implications of Patch Management in the EUCC Scheme • Patch levels • EUCC Next steps – Conclusions
Patch problem description
• Patch problem description • Risk owner requirements • demand for certificate of product (TOE): assurance • but also for state-of-the-art security • security issue handling during product lifecycle • delivery of security updates • maintenance/support processes
• Patch problem description • As consequence risk owner often… • …has to accept known vulnerabilities • … can install patched but non-certified TOE updates
• Patch problem description • Problems of patch re-certification • costs and time for patch re-certification • only done if mandatory required by regulation • Product time to market • Continuous delivery • Vulnerabilities are made public and patched everyday • But re-certification of patches is slow • Security vs. Certification  really ?
• Patch problem description • Chances of this proposal • risk owner’s requirements will be addressed • regulatory body can request risk owners to install updates to remove existing vulnerabilities • modernized our CC toolbox • offer fast-track process • use assurance from patch management process evaluation • … • real chance to mandate re-certification (in regulation or contracts)
ISO Project ISO/IEC TS 9569: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045
• History and future • Patch Management is hot topic in ISO SC 27/WG 3 • Multiple study periods • Project was upgraded from TR to TS • (new) CC Roadmap discussions already refer to Patch Management Project  a lot of support
• Concept A. One static + one flexible building blocks 1. ALC_PAM – evaluate Patch Management Process as part of the standard evaluation (certification) – ready for augmentation 2. Patch/Update functionality in TOE scope – technical security capabilities for applying patches – Package for Patch Management: SPD, objectives and set of SFRs » attached as Annex » written as example – finally defined in the ST or PP B. Options for Certification Bodies
• New family ALC_PAM • ALC_PAM.1 Patch Management Processes – key elements: • security relevance report (SRR) – Developer’s self-assessment of security relevance of a planned patch • Patch Management Processes (PAM Processes) – require Patch Management Documentation (PMD), i.e. policies, processes, procedures and tools related to the patching of the TOE » mandatory procedures during patch release » polices when to re-certify/re-evaluate the TOE » end-of-support consideration of TOE » assessment and confirmation of the application of policies on a regular basis
• Options for Certification Bodies for cherry picking – Fast-Track Re-Certification – Different types of updates and related re-certification possibilities – Support re-use of evaluation results – Same-evaluator requirement – Re-Evaluation (without Certification) – Provide templates to support the analyse impact of changes of a patch – Trust by default developers in order to harmonize security and certification – Put penalties if developers do not follow the published rules – Mandate root cause analysis
• How to apply: practical considerations Guide for ST/PP authors: – add Extended Component Definition (ALC_PAM.1) to ST/PP – add Evaluator Work Unit to ST (or link referenced document) • both defined in ISO document – write Security Problem Definition (SPD), Objectives (for Patches) and SFRs • example is given in ISO document – watch out for ST/PP examples which include ALC_PAM.1 in the future
• first certificate including ALC_PAM.1 • genua: genugate 10.0 Z The TOE genugate 10.0 Z is a combination of an application level gateway (ALG) and a packet filter (PFL), which are implemented on two different systems. It is part of a larger product. The firewall genugate 10.0 Z consists of hardware and software. The TOE is part of the shipped software. The operating system is a modified OpenBSD. Sebastian Fritsch, secuvera | 19.10.2021 | Page 14 Source: BSI Website
• How to apply: practical considerations – Strong recommendation: Review existing PAM Processes • Check maturity of PAM Processes • e.g. Gap-Analysis • might help if Security Development Lifecycle (SDL) is already implemented – consider ALC_PAM.1 requirements • see Guidance in ISO Document ( Annex)
Implications of Patch Management in the EUCC Scheme
• Implications of Patch Management in the EUCC Scheme • Cyber Security Act: – (40) ENISA should contribute to raising the public’s awareness […] and to promote basic multi-factor authentication, patching, encryption, anonymisation and data protection advice. – (93) European cybersecurity certificates and EU statements of conformity should help end users to make informed choices. […] namely for how long the end user can expect to receive cybersecurity updates or patches […] – Article 54.1 A European cybersecurity certification scheme shall include at least the following elements: […] • (m) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with; […]
• Implications of Patch Management in the EUCC Scheme – One year since the publication of EUCC v1.1.1 – Chapter 14. Rules related to handling vulnerabilities implements the rules concerning how previously undetected cybersecurity vulnerabilities in ICT products are to be reported and dealt with (Art 54.1m) and provides the hook for patch management.
• Patch levels – The CB shall include in the certification report the applied Patch management mechanism and a clear delineation of the TOE scope (specially when it is part of a bigger product) – L1: Just notify CAB-CB and proceed to deploy. CAB may apply maintenance / release a maintenance report. – L2: Evaluate and then deploy. CAB shall update the version of the certificate. – L3: Fallback to assurance continuity for major changes. – CUF: Notify the CAB, then deploy, then evaluate. CAB shall update the version of the certificate.
• Patch levels – Level 2 – A time limit for evaluation may be agreed • Would require a contract with the ITSEF – It is possible to avoid testing based on the evidence provided (e.g. source code) – May not require approval to start from the CB – Bug fixes shall be considered typical minor changes
• Patch levels – Critical Update Flow – Will not require approval to start from the CB but the ITSEF and the CB shall be informed of the changes within five business days. – ITSEF shall have a priority queue • Would require a contract with the ITSEF – Will require validation from the CB
• Critical update flow triage – The following questions shall be answered • Is the product used within critical infrastructure? • Are there applicable liability issues? • Is safety at risk? • Is a working exploit available or even not needed? • Can the vulnerability be used to develop further attacks?
• Practical application – When a vulnerability is verified and the patch management was included in the initial evaluation the following steps will be done: • 1. Developer notifies the CAB and sends IAR • 2. Developer triages the severity of the vulnerability to determine if the Critical Update Flow is applicable. • 3. Developer determines the applicable patch level based on the affected evidence (major/minor) • 4. The following steps are done in different order depending on the level – Deploy the patch – Evaluate the patched TOE or classical assurance continuity (PL2) • 5. A maintenance report is emitted and certificate is updated
• EUCC Next Steps – We gained experience through the experiment conducted by Secuvera and BSI – Experience for other approaches may be needed (ISCI approach) – Further refinement under EUCC for the patch management chapter may be needed, including: • Harmonized interpretation of Major/Minor changes for vulnerabilities • Consider applying more widely the asynchronous approach. To which extent shall we require ITSEF/CB involvement? • Detail the triage process • Tuning with other aspects like vulnerability handling and monitoring? • There is some potential overlap/contradictions with assurance continuity and with Chapter 12 • Impact on EUCC ENISA website (certificate list)?
• Conclusions – ISO project status • next draft for distribution in ISO 1st of July – next ballot: DTS (Draft Technical Specification) – ask your ISO liasion organisation for the document, like CCUF • official project target: 2023-04-25 – On the EUCC Patch Management approach • Accepted for trial use opening the door to asynochronus evaluation alternatives • Further refinement is still needed
Thank you! Vielen Dank! ¡Muchas Gracias! Sebastian Fritsch sfritsch@secuvera.de +49-7032/9758-24 secuvera GmbH Siedlerstraße 22-24 71126 Gäufelden/Stuttgart Germany Javier Tallón jtallon@jtsec.es +34-858981999 jtsec Beyond IT Security Avenida de la Constitución 20, 208 18012 Granada Spain

Recommended

Towards creating an extension for patch management ISO/IEC 15408 &18045
Towards creating an extension for patch management ISO/IEC 15408 &18045Towards creating an extension for patch management ISO/IEC 15408 &18045
Towards creating an extension for patch management ISO/IEC 15408 &18045
Javier Tallón
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...
Dolly Juhu
 
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
babak danyal
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIIEmbedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Ni
 
Release Verification Team Proposal
Release Verification Team ProposalRelease Verification Team Proposal
Release Verification Team Proposal
Raghunath (Gautam) Soman
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptx1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptx
patemalabanan
 

Recommended

Towards creating an extension for patch management ISO/IEC 15408 &18045
Towards creating an extension for patch management ISO/IEC 15408 &18045Towards creating an extension for patch management ISO/IEC 15408 &18045
Towards creating an extension for patch management ISO/IEC 15408 &18045
Javier Tallón
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...
Dolly Juhu
 
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
babak danyal
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIIEmbedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Ni
 
Release Verification Team Proposal
Release Verification Team ProposalRelease Verification Team Proposal
Release Verification Team Proposal
Raghunath (Gautam) Soman
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptx1 - Introduction to Computerized Systems Validation - for review.pptx
1 - Introduction to Computerized Systems Validation - for review.pptx
patemalabanan
 
Vish- Validation Master Plan
Vish- Validation Master PlanVish- Validation Master Plan
Vish- Validation Master Plan
Vishal Parikh
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Verhaert Masters in Innovation
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
Filippo Ferri
 
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocessAktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
InboundLabs (ex mon.ki inc)
 
Validation master plan
Validation master planValidation master plan
Validation master plan
Priyanka Kandhare
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdf
haris348605
 
19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx
Tran Duc Dai
 
Controlling interests editors
Controlling interests editorsControlling interests editors
Controlling interests editors
eldhoev
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
ssmarar
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
YoussefElsamman
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Venkat Janardhanam, MS, MBA
 
Unit 8 final
Unit 8 finalUnit 8 final
Unit 8 finalsietkcse
 
CMMC briefing
CMMC briefingCMMC briefing
CMMC briefing
Ulrik Holm Nielsen
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effort
Veeva Systems
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
Perficient
 
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
Gaurav Singh Rajput
 
unit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxunit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptx
PriyaFulpagare1
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
CAVEDPRAKASHPALIWAL
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
CAVEDPRAKASHPALIWAL
 
L9 quality assurance and documentation
L9 quality assurance and documentationL9 quality assurance and documentation
L9 quality assurance and documentationOMWOMA JACKSON
 
Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 

More Related Content

Similar to EUCA22 - Patch Management ISO_IEC 15408 & 18045

Vish- Validation Master Plan
Vish- Validation Master PlanVish- Validation Master Plan
Vish- Validation Master Plan
Vishal Parikh
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Verhaert Masters in Innovation
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
Filippo Ferri
 
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocessAktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
InboundLabs (ex mon.ki inc)
 
Validation master plan
Validation master planValidation master plan
Validation master plan
Priyanka Kandhare
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdf
haris348605
 
19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx
Tran Duc Dai
 
Controlling interests editors
Controlling interests editorsControlling interests editors
Controlling interests editors
eldhoev
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
ssmarar
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
YoussefElsamman
 
Unit 8 final
Unit 8 finalUnit 8 final
Unit 8 finalsietkcse
 
CMMC briefing
CMMC briefingCMMC briefing
CMMC briefing
Ulrik Holm Nielsen
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effort
Veeva Systems
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
Perficient
 
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
Gaurav Singh Rajput
 
unit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxunit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptx
PriyaFulpagare1
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
CAVEDPRAKASHPALIWAL
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
CAVEDPRAKASHPALIWAL
 
L9 quality assurance and documentation
L9 quality assurance and documentationL9 quality assurance and documentation
L9 quality assurance and documentationOMWOMA JACKSON
 

Similar to EUCA22 - Patch Management ISO_IEC 15408 & 18045 (20)

Vish- Validation Master Plan
Vish- Validation Master PlanVish- Validation Master Plan
Vish- Validation Master Plan
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
 
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocessAktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
 
Validation master plan
Validation master planValidation master plan
Validation master plan
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdf
 
19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx
 
Controlling interests editors
Controlling interests editorsControlling interests editors
Controlling interests editors
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssmNcerc rlmca202 adm m3 ssm
Ncerc rlmca202 adm m3 ssm
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
 
Unit 8 final
Unit 8 finalUnit 8 final
Unit 8 final
 
CMMC briefing
CMMC briefingCMMC briefing
CMMC briefing
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effort
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
 
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
 
unit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxunit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptx
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
 
L9 quality assurance and documentation
L9 quality assurance and documentationL9 quality assurance and documentation
L9 quality assurance and documentation
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easy
Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easy
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

EUCA22 - Patch Management ISO_IEC 15408 & 18045

  • 1. Patch Management for ISO/IEC 15408 / Common Criteria Javier Tallón, jtsec Sebastian Fritsch, secuvera 2022 International Conference on the EU Cybersecurity Act 25.05.2022
  • 2. • Overview – Patch problem description – ISO/IEC TS 9569: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045 • Concept • Practical considerations – Implications of Patch Management in the EUCC Scheme • Patch levels • EUCC Next steps – Conclusions
  • 4. • Patch problem description • Risk owner requirements • demand for certificate of product (TOE): assurance • but also for state-of-the-art security • security issue handling during product lifecycle • delivery of security updates • maintenance/support processes
  • 5. • Patch problem description • As consequence risk owner often… • …has to accept known vulnerabilities • … can install patched but non-certified TOE updates
  • 6. • Patch problem description • Problems of patch re-certification • costs and time for patch re-certification • only done if mandatory required by regulation • Product time to market • Continuous delivery • Vulnerabilities are made public and patched everyday • But re-certification of patches is slow • Security vs. Certification  really ?
  • 7. • Patch problem description • Chances of this proposal • risk owner’s requirements will be addressed • regulatory body can request risk owners to install updates to remove existing vulnerabilities • modernized our CC toolbox • offer fast-track process • use assurance from patch management process evaluation • … • real chance to mandate re-certification (in regulation or contracts)
  • 8. ISO Project ISO/IEC TS 9569: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045
  • 9. • History and future • Patch Management is hot topic in ISO SC 27/WG 3 • Multiple study periods • Project was upgraded from TR to TS • (new) CC Roadmap discussions already refer to Patch Management Project  a lot of support
  • 10. • Concept A. One static + one flexible building blocks 1. ALC_PAM – evaluate Patch Management Process as part of the standard evaluation (certification) – ready for augmentation 2. Patch/Update functionality in TOE scope – technical security capabilities for applying patches – Package for Patch Management: SPD, objectives and set of SFRs » attached as Annex » written as example – finally defined in the ST or PP B. Options for Certification Bodies
  • 11. • New family ALC_PAM • ALC_PAM.1 Patch Management Processes – key elements: • security relevance report (SRR) – Developer’s self-assessment of security relevance of a planned patch • Patch Management Processes (PAM Processes) – require Patch Management Documentation (PMD), i.e. policies, processes, procedures and tools related to the patching of the TOE » mandatory procedures during patch release » polices when to re-certify/re-evaluate the TOE » end-of-support consideration of TOE » assessment and confirmation of the application of policies on a regular basis
  • 12. • Options for Certification Bodies for cherry picking – Fast-Track Re-Certification – Different types of updates and related re-certification possibilities – Support re-use of evaluation results – Same-evaluator requirement – Re-Evaluation (without Certification) – Provide templates to support the analyse impact of changes of a patch – Trust by default developers in order to harmonize security and certification – Put penalties if developers do not follow the published rules – Mandate root cause analysis
  • 13. • How to apply: practical considerations Guide for ST/PP authors: – add Extended Component Definition (ALC_PAM.1) to ST/PP – add Evaluator Work Unit to ST (or link referenced document) • both defined in ISO document – write Security Problem Definition (SPD), Objectives (for Patches) and SFRs • example is given in ISO document – watch out for ST/PP examples which include ALC_PAM.1 in the future
  • 14. • first certificate including ALC_PAM.1 • genua: genugate 10.0 Z The TOE genugate 10.0 Z is a combination of an application level gateway (ALG) and a packet filter (PFL), which are implemented on two different systems. It is part of a larger product. The firewall genugate 10.0 Z consists of hardware and software. The TOE is part of the shipped software. The operating system is a modified OpenBSD. Sebastian Fritsch, secuvera | 19.10.2021 | Page 14 Source: BSI Website
  • 15. • How to apply: practical considerations – Strong recommendation: Review existing PAM Processes • Check maturity of PAM Processes • e.g. Gap-Analysis • might help if Security Development Lifecycle (SDL) is already implemented – consider ALC_PAM.1 requirements • see Guidance in ISO Document ( Annex)
  • 16. Implications of Patch Management in the EUCC Scheme
  • 17. • Implications of Patch Management in the EUCC Scheme • Cyber Security Act: – (40) ENISA should contribute to raising the public’s awareness […] and to promote basic multi-factor authentication, patching, encryption, anonymisation and data protection advice. – (93) European cybersecurity certificates and EU statements of conformity should help end users to make informed choices. […] namely for how long the end user can expect to receive cybersecurity updates or patches […] – Article 54.1 A European cybersecurity certification scheme shall include at least the following elements: […] • (m) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with; […]
  • 18. • Implications of Patch Management in the EUCC Scheme – One year since the publication of EUCC v1.1.1 – Chapter 14. Rules related to handling vulnerabilities implements the rules concerning how previously undetected cybersecurity vulnerabilities in ICT products are to be reported and dealt with (Art 54.1m) and provides the hook for patch management.
  • 19. • Patch levels – The CB shall include in the certification report the applied Patch management mechanism and a clear delineation of the TOE scope (specially when it is part of a bigger product) – L1: Just notify CAB-CB and proceed to deploy. CAB may apply maintenance / release a maintenance report. – L2: Evaluate and then deploy. CAB shall update the version of the certificate. – L3: Fallback to assurance continuity for major changes. – CUF: Notify the CAB, then deploy, then evaluate. CAB shall update the version of the certificate.
  • 20. • Patch levels – Level 2 – A time limit for evaluation may be agreed • Would require a contract with the ITSEF – It is possible to avoid testing based on the evidence provided (e.g. source code) – May not require approval to start from the CB – Bug fixes shall be considered typical minor changes
  • 21. • Patch levels – Critical Update Flow – Will not require approval to start from the CB but the ITSEF and the CB shall be informed of the changes within five business days. – ITSEF shall have a priority queue • Would require a contract with the ITSEF – Will require validation from the CB
  • 22. • Critical update flow triage – The following questions shall be answered • Is the product used within critical infrastructure? • Are there applicable liability issues? • Is safety at risk? • Is a working exploit available or even not needed? • Can the vulnerability be used to develop further attacks?
  • 23. • Practical application – When a vulnerability is verified and the patch management was included in the initial evaluation the following steps will be done: • 1. Developer notifies the CAB and sends IAR • 2. Developer triages the severity of the vulnerability to determine if the Critical Update Flow is applicable. • 3. Developer determines the applicable patch level based on the affected evidence (major/minor) • 4. The following steps are done in different order depending on the level – Deploy the patch – Evaluate the patched TOE or classical assurance continuity (PL2) • 5. A maintenance report is emitted and certificate is updated
  • 24. • EUCC Next Steps – We gained experience through the experiment conducted by Secuvera and BSI – Experience for other approaches may be needed (ISCI approach) – Further refinement under EUCC for the patch management chapter may be needed, including: • Harmonized interpretation of Major/Minor changes for vulnerabilities • Consider applying more widely the asynchronous approach. To which extent shall we require ITSEF/CB involvement? • Detail the triage process • Tuning with other aspects like vulnerability handling and monitoring? • There is some potential overlap/contradictions with assurance continuity and with Chapter 12 • Impact on EUCC ENISA website (certificate list)?
  • 25. • Conclusions – ISO project status • next draft for distribution in ISO 1st of July – next ballot: DTS (Draft Technical Specification) – ask your ISO liasion organisation for the document, like CCUF • official project target: 2023-04-25 – On the EUCC Patch Management approach • Accepted for trial use opening the door to asynochronus evaluation alternatives • Further refinement is still needed
  • 26. Thank you! Vielen Dank! ¡Muchas Gracias! Sebastian Fritsch sfritsch@secuvera.de +49-7032/9758-24 secuvera GmbH Siedlerstraße 22-24 71126 Gäufelden/Stuttgart Germany Javier Tallón jtallon@jtsec.es +34-858981999 jtsec Beyond IT Security Avenida de la Constitución 20, 208 18012 Granada Spain

Editor's Notes

  1. 1a. The manufacturer or provider shall report within a business day to the certification body (CB) that issued the certificate the possibility of a related vulnerability and provide within five business days a date for when a vulnerability analysis will be established. 1b. When the information about a possibility of a vulnerability related to the certified ICT product is available first at the CB, the CB shall inform within a business day the manufacturer or provider and request a vulnerability analysis and a date for this analysis within five business days. 2. agree on a proposed date to have the impact of the vulnerability analysed, but this shall not exceed 90 days 3. If the developer is not responsive or does not meet the agreed date, certificate is suspended 4. During analysis, if the vulnerability is disproved, documentation kept for 5 years 5. If the vulnerability is verified, certificate is suspended and then 6. If the product was not certified including an accepted patch management process, we will fallback to the classical assurance continuity procedure with potentially new options for scope reduction 7. Otherwise, a whole new world of possibilities are opened.