SlideShare a Scribd company logo
Patch Management
for
ISO/IEC 15408 / Common Criteria
Javier Tallón, jtsec
Sebastian Fritsch, secuvera
ICCC 17.11.2020
• Overview
– Background
– Problem description: certification vs. security
– ISO Project:
Towards Creating an Extension for Patch Management
for ISO/IEC 15408 and ISO/IEC 18045
• Concept
– ALC_PAM + SPD (for PAM) + (opt.) SFRs (for PAM)
• Outlook
– How to apply: practical considerations
– Conclusions
Background
• Background
– Product time to market
• Continuous delivery
• Vulnerabilities are made public and patched everyday
• But certification is painfully slow
– Hot topic during first study period at ISO SC27 (2017)
• Very ambitious
– Continuous assurance, & all kind of situations
– A lot of new CC Concepts
• Conclusions
– Too difficult
– Not enough experience
– But real-world problem that needs to be solved
• Background
– Different approaches to Patch Management
• Common Criteria
– Classic: slow / IAR
– JIL: base of our proposal / smartcards
– ISCI WG1: same objectives / different approach
• FIPS 140-2: 3ASUB / priority Q / templates
• PCI-PTS: evaluated LC / trust by default
• EMVCo: fast track
Problem description
• Problem description
– Certified TOE with known vulnerabilities
• risk owners need updates
– But updates are not certified
• costs, time for certification
• only done if required by regulation
– Problem not limited to Common Criteria/ISO 15408,
but any other security product certification
• relevant to any product certification with defined version
• Problem description
– CC compliant operation of TOEs often leads to
• risk owner has to accept known vulnerabilities
• but those were already fixed in a non-certified TOE update
– Chances of this proposal
• risk owner gets possibility to remove existing, known vulnerabilities
• regulatory body can request risk owners to install updates to
remove existing vulnerabilities
• modernized tool to mandate the use of software which will be
secure after certification but also later in the product lifecycle
• Current status
– Risk owner
• demand for certificate of product (TOE)
• but also for
– security issue handling correction and
– delivery of security updates
– often called “support processes”
• Other options
“Perfect the testing so no many patches
need to be installed”
ATE_PERFECT.1
ISO Project
• Concept
A. Two (+one) building blocks
1. ALC_PAM
– Evaluate the Patch Management Process as part of the standard
evaluation (certification)
2. SPD (for PAM)
– Common ground for all TOE types: SPD and adaptable Objectives
3. optional SFRs (for PAM)
– Technical capabilities for applying patches
– Generic solution (set of SFRs)
– Other sets of SFRs might be equivalent, needed to support
legacy/existing PPs
B. Options for Certification Bodies
• New family ALC_PAM
• ALC_PAM.1 Patch Management Processes
– key elements:
• Security Impact Analysis Report (S-IAR)
– Developer’s self-assessment of security relevance of a planned patch
• Patch Management Policies
– describes the mandatory procedures during patch release
– rules when to re-certify or re-evaluate the TOE
– end-of-support consideration of TOE
– assessment and confirmation of the application of Patch Management
Policies on a regular basis
• Options for Certification Bodies
…for optimization
– Fast-Track Re-Certification
– Re-Evaluation (without Certification)
– Provide templates to support the analyse impact of changes of
a patch
– Trust by default developers in order to harmonize security and
certification
– Put penalties if developers do not follow the published rules
• Timeline
– 2º SP opened in September 2019 - Paris
– Results of 2ºSP  Creation of a TR - St. Petersburg ISO
meeting
– 1st WD finalized by 19 of June 2020
– Heavy discussion – Warsaw ISO meeting
– 2nd WD finalized by 18 of January 2021
– 2021 balloting of the 3rd WD
• International support
• Ongoing discussion in ISO for WD2
will be available January
– “TOE and patch”: analyse the impact on other SARs
• option 1: modify SARs (like in JIL documents)
• option 2: add requirements to ALC_PAM
– Create (adoptable) set of objectives
• and make set of SFRs only an option
– Set of SFRs:
• use CC Part 2, or
• create new SFRs (use ECD)
– Terminology: ISO, JIL, GP, … terminology
• find minimum conflicting terminology for different communities
– Try to keep ALC_PAM mostly stable
• but minor changes necessary
How to apply:
practical considerations
• Current Working Draft of ISO Document
– available here:
https://www.jtsec.es/papers/Technical/Report_Patch_Management.pdf
• Guide for ST/PP authors:
– add Extended Component Definition (ALC_PAM.1) to ST
– add Evaluator Work Unit to ST (or link referenced document)
• both defined in ISO document
– add Security Problem Definition (SPD) and Objectives (for
Patches) to ST
• defined in ISO document
– add SFRs to ST
• if applicable to TOE
• otherwise modify SFRs, or take other set of SFRs
• Prepare/Update Patch Management Processes
– Check degree of implementation of existing Patch Management
Processes
• consider ALC_PAM.1 requirements
– see also Guidance in ISO Document ( Annexes)
• Developer perspective – Detailed Requirements
– provide security patches until estimated end-of-support
– for each patch/release: Security Impact Analysis Report (S-IAR)
– update the evidence documentation used in the base evaluation
– record decisions in the patch management process (transparency)
– implement Patch Management Policy
• communicate end-of-support
• define content of patch release notes
• mandatory procedures during patch release
• self-assess and confirm the application of these policies
• conditions for additional tests by ITSEF/lab before release
• Evaluator perspective
– What do I have to evaluate / look for?
– As part of the ´common´ evaluation process
• The set of SFRs chosen by the vendor solves the PAM SPD
• The set of SFRs chosen by the vendor are adequately implemented
(ATE/AVA)
– As part of ALC_PAM
• Content and presentation requirements
– The process for patch release, including responsibilities
– The secure use of cryptographic keys involved in patch generation
• Evidence of application of PAM procedures and self-assessment
– Through dry run
– Sampling during a site visit
• Pilot projects
– secuvera runs first pilot of ALC_PAM evaluation in German CC
scheme (BSI) with genua
• Note: ALC_PAM version from the beginning of 2020
• Conclusions
– We are trying to solve a real world problem
– We are doing it very fast! Balloting of the TR by Autumn’21
– International support
– Multi community support
– Accepted for trial use by the new EUCC opening the door to the
Critical Update Flow
Thank you!
Vielen Dank!
¡Muchas Gracias! Sebastian Fritsch
sfritsch@secuvera.de
+49-7032/9758-24
secuvera GmbH
Siedlerstraße 22-24
71126 Gäufelden/Stuttgart
Germany
Javier Tallón
jtallon@jtsec.es
+34-858981999
jtsec Beyond IT Security
Avenida de la Constitución 20, 208
18012 Granada
Spain

More Related Content

What's hot

ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??
Fáber D. Giraldo
 
Shackelford Examples V1
Shackelford Examples V1Shackelford Examples V1
Shackelford Examples V1
Larry_Shackelford
 
ISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standardsISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standards
Fareha Nadeem
 
"ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with..."ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with...
TEST Huddle
 
CPU Verification
CPU VerificationCPU Verification
CPU Verification
Ramdas Mozhikunnath
 
Verification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathVerification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career Path
Ramdas Mozhikunnath
 
Basics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow DevicesBasics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow Devices
Arrow Devices
 
55th세미나 발표자료
55th세미나 발표자료55th세미나 발표자료
55th세미나 발표자료
Kim Sjoon
 
Softwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan SahadviSoftwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan Sahadvi
AbuulHassan2
 
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Pôle Systematic Paris-Region
 
I software quality
I   software qualityI   software quality
I software quality
Fáber D. Giraldo
 
MydhiliVadlamaniCV
MydhiliVadlamaniCVMydhiliVadlamaniCV
MydhiliVadlamaniCV
Mydhili Vadlamani
 
Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...
PMI-Montréal
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
Saqib Raza
 
Qa
QaQa
Sqa
SqaSqa

What's hot (16)

ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??
 
Shackelford Examples V1
Shackelford Examples V1Shackelford Examples V1
Shackelford Examples V1
 
ISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standardsISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standards
 
"ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with..."ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with...
 
CPU Verification
CPU VerificationCPU Verification
CPU Verification
 
Verification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathVerification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career Path
 
Basics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow DevicesBasics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow Devices
 
55th세미나 발표자료
55th세미나 발표자료55th세미나 발표자료
55th세미나 발표자료
 
Softwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan SahadviSoftwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan Sahadvi
 
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
 
I software quality
I   software qualityI   software quality
I software quality
 
MydhiliVadlamaniCV
MydhiliVadlamaniCVMydhiliVadlamaniCV
MydhiliVadlamaniCV
 
Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
Qa
QaQa
Qa
 
Sqa
SqaSqa
Sqa
 

Similar to Towards creating an extension for patch management ISO/IEC 15408 &18045

EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
babak danyal
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
Perficient
 
Sanjay
SanjaySanjay
Sanjay
rehana00
 
Introduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformIntroduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure Platform
SZ Lin
 
Release Verification Team Proposal
Release Verification Team  ProposalRelease Verification Team  Proposal
Release Verification Team Proposal
Raghunath (Gautam) Soman
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
RppsKumar1
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
ghkadous
 
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Perficient
 
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdfLife cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
SohamChatterjee47
 
2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx
JohnLagman3
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
Venkat Janardhanam, MS, MBA
 
Comp8 unit5 lecture_slides
Comp8 unit5 lecture_slidesComp8 unit5 lecture_slides
Comp8 unit5 lecture_slides
CMDLMS
 
tip oopt pse-summit2017
tip oopt pse-summit2017tip oopt pse-summit2017
tip oopt pse-summit2017
domenico di mola
 
AiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 bAiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 b
AiTi Education
 
Software Process Models
Software Process ModelsSoftware Process Models
Software Process Models
Rody Middelkoop
 
Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008
Pete Schneider
 
Software Engineering : Process Models
Software Engineering : Process ModelsSoftware Engineering : Process Models
Software Engineering : Process Models
Ajit Nayak
 
Software life cycle
Software life cycleSoftware life cycle
Software life cycle
kingseif
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
YoussefElsamman
 

Similar to Towards creating an extension for patch management ISO/IEC 15408 &18045 (20)

EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
 
Sanjay
SanjaySanjay
Sanjay
 
Introduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformIntroduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure Platform
 
Release Verification Team Proposal
Release Verification Team  ProposalRelease Verification Team  Proposal
Release Verification Team Proposal
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
 
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
 
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdfLife cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
 
2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
 
Comp8 unit5 lecture_slides
Comp8 unit5 lecture_slidesComp8 unit5 lecture_slides
Comp8 unit5 lecture_slides
 
tip oopt pse-summit2017
tip oopt pse-summit2017tip oopt pse-summit2017
tip oopt pse-summit2017
 
AiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 bAiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 b
 
Software Process Models
Software Process ModelsSoftware Process Models
Software Process Models
 
Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008
 
Software Engineering : Process Models
Software Engineering : Process ModelsSoftware Engineering : Process Models
Software Engineering : Process Models
 
Software life cycle
Software life cycleSoftware life cycle
Software life cycle
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 

Recently uploaded

Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 

Recently uploaded (20)

Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 

Towards creating an extension for patch management ISO/IEC 15408 &18045

  • 1. Patch Management for ISO/IEC 15408 / Common Criteria Javier Tallón, jtsec Sebastian Fritsch, secuvera ICCC 17.11.2020
  • 2. • Overview – Background – Problem description: certification vs. security – ISO Project: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045 • Concept – ALC_PAM + SPD (for PAM) + (opt.) SFRs (for PAM) • Outlook – How to apply: practical considerations – Conclusions
  • 4. • Background – Product time to market • Continuous delivery • Vulnerabilities are made public and patched everyday • But certification is painfully slow – Hot topic during first study period at ISO SC27 (2017) • Very ambitious – Continuous assurance, & all kind of situations – A lot of new CC Concepts • Conclusions – Too difficult – Not enough experience – But real-world problem that needs to be solved
  • 5. • Background – Different approaches to Patch Management • Common Criteria – Classic: slow / IAR – JIL: base of our proposal / smartcards – ISCI WG1: same objectives / different approach • FIPS 140-2: 3ASUB / priority Q / templates • PCI-PTS: evaluated LC / trust by default • EMVCo: fast track
  • 7. • Problem description – Certified TOE with known vulnerabilities • risk owners need updates – But updates are not certified • costs, time for certification • only done if required by regulation – Problem not limited to Common Criteria/ISO 15408, but any other security product certification • relevant to any product certification with defined version
  • 8. • Problem description – CC compliant operation of TOEs often leads to • risk owner has to accept known vulnerabilities • but those were already fixed in a non-certified TOE update – Chances of this proposal • risk owner gets possibility to remove existing, known vulnerabilities • regulatory body can request risk owners to install updates to remove existing vulnerabilities • modernized tool to mandate the use of software which will be secure after certification but also later in the product lifecycle
  • 9. • Current status – Risk owner • demand for certificate of product (TOE) • but also for – security issue handling correction and – delivery of security updates – often called “support processes”
  • 10. • Other options “Perfect the testing so no many patches need to be installed” ATE_PERFECT.1
  • 12. • Concept A. Two (+one) building blocks 1. ALC_PAM – Evaluate the Patch Management Process as part of the standard evaluation (certification) 2. SPD (for PAM) – Common ground for all TOE types: SPD and adaptable Objectives 3. optional SFRs (for PAM) – Technical capabilities for applying patches – Generic solution (set of SFRs) – Other sets of SFRs might be equivalent, needed to support legacy/existing PPs B. Options for Certification Bodies
  • 13. • New family ALC_PAM • ALC_PAM.1 Patch Management Processes – key elements: • Security Impact Analysis Report (S-IAR) – Developer’s self-assessment of security relevance of a planned patch • Patch Management Policies – describes the mandatory procedures during patch release – rules when to re-certify or re-evaluate the TOE – end-of-support consideration of TOE – assessment and confirmation of the application of Patch Management Policies on a regular basis
  • 14. • Options for Certification Bodies …for optimization – Fast-Track Re-Certification – Re-Evaluation (without Certification) – Provide templates to support the analyse impact of changes of a patch – Trust by default developers in order to harmonize security and certification – Put penalties if developers do not follow the published rules
  • 15. • Timeline – 2º SP opened in September 2019 - Paris – Results of 2ºSP  Creation of a TR - St. Petersburg ISO meeting – 1st WD finalized by 19 of June 2020 – Heavy discussion – Warsaw ISO meeting – 2nd WD finalized by 18 of January 2021 – 2021 balloting of the 3rd WD • International support
  • 16. • Ongoing discussion in ISO for WD2 will be available January – “TOE and patch”: analyse the impact on other SARs • option 1: modify SARs (like in JIL documents) • option 2: add requirements to ALC_PAM – Create (adoptable) set of objectives • and make set of SFRs only an option – Set of SFRs: • use CC Part 2, or • create new SFRs (use ECD) – Terminology: ISO, JIL, GP, … terminology • find minimum conflicting terminology for different communities – Try to keep ALC_PAM mostly stable • but minor changes necessary
  • 17. How to apply: practical considerations
  • 18. • Current Working Draft of ISO Document – available here: https://www.jtsec.es/papers/Technical/Report_Patch_Management.pdf
  • 19. • Guide for ST/PP authors: – add Extended Component Definition (ALC_PAM.1) to ST – add Evaluator Work Unit to ST (or link referenced document) • both defined in ISO document – add Security Problem Definition (SPD) and Objectives (for Patches) to ST • defined in ISO document – add SFRs to ST • if applicable to TOE • otherwise modify SFRs, or take other set of SFRs
  • 20. • Prepare/Update Patch Management Processes – Check degree of implementation of existing Patch Management Processes • consider ALC_PAM.1 requirements – see also Guidance in ISO Document ( Annexes)
  • 21. • Developer perspective – Detailed Requirements – provide security patches until estimated end-of-support – for each patch/release: Security Impact Analysis Report (S-IAR) – update the evidence documentation used in the base evaluation – record decisions in the patch management process (transparency) – implement Patch Management Policy • communicate end-of-support • define content of patch release notes • mandatory procedures during patch release • self-assess and confirm the application of these policies • conditions for additional tests by ITSEF/lab before release
  • 22. • Evaluator perspective – What do I have to evaluate / look for? – As part of the ´common´ evaluation process • The set of SFRs chosen by the vendor solves the PAM SPD • The set of SFRs chosen by the vendor are adequately implemented (ATE/AVA) – As part of ALC_PAM • Content and presentation requirements – The process for patch release, including responsibilities – The secure use of cryptographic keys involved in patch generation • Evidence of application of PAM procedures and self-assessment – Through dry run – Sampling during a site visit
  • 23. • Pilot projects – secuvera runs first pilot of ALC_PAM evaluation in German CC scheme (BSI) with genua • Note: ALC_PAM version from the beginning of 2020
  • 24. • Conclusions – We are trying to solve a real world problem – We are doing it very fast! Balloting of the TR by Autumn’21 – International support – Multi community support – Accepted for trial use by the new EUCC opening the door to the Critical Update Flow
  • 25. Thank you! Vielen Dank! ¡Muchas Gracias! Sebastian Fritsch sfritsch@secuvera.de +49-7032/9758-24 secuvera GmbH Siedlerstraße 22-24 71126 Gäufelden/Stuttgart Germany Javier Tallón jtallon@jtsec.es +34-858981999 jtsec Beyond IT Security Avenida de la Constitución 20, 208 18012 Granada Spain