SlideShare a Scribd company logo
Patch Management
for
ISO/IEC 15408 / Common Criteria
Javier Tallón, jtsec
Sebastian Fritsch, secuvera
ICCC 17.11.2020
• Overview
– Background
– Problem description: certification vs. security
– ISO Project:
Towards Creating an Extension for Patch Management
for ISO/IEC 15408 and ISO/IEC 18045
• Concept
– ALC_PAM + SPD (for PAM) + (opt.) SFRs (for PAM)
• Outlook
– How to apply: practical considerations
– Conclusions
Background
• Background
– Product time to market
• Continuous delivery
• Vulnerabilities are made public and patched everyday
• But certification is painfully slow
– Hot topic during first study period at ISO SC27 (2017)
• Very ambitious
– Continuous assurance, & all kind of situations
– A lot of new CC Concepts
• Conclusions
– Too difficult
– Not enough experience
– But real-world problem that needs to be solved
• Background
– Different approaches to Patch Management
• Common Criteria
– Classic: slow / IAR
– JIL: base of our proposal / smartcards
– ISCI WG1: same objectives / different approach
• FIPS 140-2: 3ASUB / priority Q / templates
• PCI-PTS: evaluated LC / trust by default
• EMVCo: fast track
Problem description
• Problem description
– Certified TOE with known vulnerabilities
• risk owners need updates
– But updates are not certified
• costs, time for certification
• only done if required by regulation
– Problem not limited to Common Criteria/ISO 15408,
but any other security product certification
• relevant to any product certification with defined version
• Problem description
– CC compliant operation of TOEs often leads to
• risk owner has to accept known vulnerabilities
• but those were already fixed in a non-certified TOE update
– Chances of this proposal
• risk owner gets possibility to remove existing, known vulnerabilities
• regulatory body can request risk owners to install updates to
remove existing vulnerabilities
• modernized tool to mandate the use of software which will be
secure after certification but also later in the product lifecycle
• Current status
– Risk owner
• demand for certificate of product (TOE)
• but also for
– security issue handling correction and
– delivery of security updates
– often called “support processes”
• Other options
“Perfect the testing so no many patches
need to be installed”
ATE_PERFECT.1
ISO Project
• Concept
A. Two (+one) building blocks
1. ALC_PAM
– Evaluate the Patch Management Process as part of the standard
evaluation (certification)
2. SPD (for PAM)
– Common ground for all TOE types: SPD and adaptable Objectives
3. optional SFRs (for PAM)
– Technical capabilities for applying patches
– Generic solution (set of SFRs)
– Other sets of SFRs might be equivalent, needed to support
legacy/existing PPs
B. Options for Certification Bodies
• New family ALC_PAM
• ALC_PAM.1 Patch Management Processes
– key elements:
• Security Impact Analysis Report (S-IAR)
– Developer’s self-assessment of security relevance of a planned patch
• Patch Management Policies
– describes the mandatory procedures during patch release
– rules when to re-certify or re-evaluate the TOE
– end-of-support consideration of TOE
– assessment and confirmation of the application of Patch Management
Policies on a regular basis
• Options for Certification Bodies
…for optimization
– Fast-Track Re-Certification
– Re-Evaluation (without Certification)
– Provide templates to support the analyse impact of changes of
a patch
– Trust by default developers in order to harmonize security and
certification
– Put penalties if developers do not follow the published rules
• Timeline
– 2º SP opened in September 2019 - Paris
– Results of 2ºSP  Creation of a TR - St. Petersburg ISO
meeting
– 1st WD finalized by 19 of June 2020
– Heavy discussion – Warsaw ISO meeting
– 2nd WD finalized by 18 of January 2021
– 2021 balloting of the 3rd WD
• International support
• Ongoing discussion in ISO for WD2
will be available January
– “TOE and patch”: analyse the impact on other SARs
• option 1: modify SARs (like in JIL documents)
• option 2: add requirements to ALC_PAM
– Create (adoptable) set of objectives
• and make set of SFRs only an option
– Set of SFRs:
• use CC Part 2, or
• create new SFRs (use ECD)
– Terminology: ISO, JIL, GP, … terminology
• find minimum conflicting terminology for different communities
– Try to keep ALC_PAM mostly stable
• but minor changes necessary
How to apply:
practical considerations
• Current Working Draft of ISO Document
– available here:
https://www.jtsec.es/papers/Technical/Report_Patch_Management.pdf
• Guide for ST/PP authors:
– add Extended Component Definition (ALC_PAM.1) to ST
– add Evaluator Work Unit to ST (or link referenced document)
• both defined in ISO document
– add Security Problem Definition (SPD) and Objectives (for
Patches) to ST
• defined in ISO document
– add SFRs to ST
• if applicable to TOE
• otherwise modify SFRs, or take other set of SFRs
• Prepare/Update Patch Management Processes
– Check degree of implementation of existing Patch Management
Processes
• consider ALC_PAM.1 requirements
– see also Guidance in ISO Document ( Annexes)
• Developer perspective – Detailed Requirements
– provide security patches until estimated end-of-support
– for each patch/release: Security Impact Analysis Report (S-IAR)
– update the evidence documentation used in the base evaluation
– record decisions in the patch management process (transparency)
– implement Patch Management Policy
• communicate end-of-support
• define content of patch release notes
• mandatory procedures during patch release
• self-assess and confirm the application of these policies
• conditions for additional tests by ITSEF/lab before release
• Evaluator perspective
– What do I have to evaluate / look for?
– As part of the ´common´ evaluation process
• The set of SFRs chosen by the vendor solves the PAM SPD
• The set of SFRs chosen by the vendor are adequately implemented
(ATE/AVA)
– As part of ALC_PAM
• Content and presentation requirements
– The process for patch release, including responsibilities
– The secure use of cryptographic keys involved in patch generation
• Evidence of application of PAM procedures and self-assessment
– Through dry run
– Sampling during a site visit
• Pilot projects
– secuvera runs first pilot of ALC_PAM evaluation in German CC
scheme (BSI) with genua
• Note: ALC_PAM version from the beginning of 2020
• Conclusions
– We are trying to solve a real world problem
– We are doing it very fast! Balloting of the TR by Autumn’21
– International support
– Multi community support
– Accepted for trial use by the new EUCC opening the door to the
Critical Update Flow
Thank you!
Vielen Dank!
¡Muchas Gracias! Sebastian Fritsch
sfritsch@secuvera.de
+49-7032/9758-24
secuvera GmbH
Siedlerstraße 22-24
71126 Gäufelden/Stuttgart
Germany
Javier Tallón
jtallon@jtsec.es
+34-858981999
jtsec Beyond IT Security
Avenida de la Constitución 20, 208
18012 Granada
Spain

More Related Content

What's hot

ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??
Fáber D. Giraldo
 
Shackelford Examples V1
Shackelford Examples V1Shackelford Examples V1
Shackelford Examples V1
Larry_Shackelford
 
ISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standardsISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standards
Fareha Nadeem
 
"ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with..."ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with...
TEST Huddle
 
CPU Verification
CPU VerificationCPU Verification
CPU Verification
Ramdas Mozhikunnath
 
Verification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathVerification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career Path
Ramdas Mozhikunnath
 
Basics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow DevicesBasics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow Devices
Arrow Devices
 
55th세미나 발표자료
55th세미나 발표자료55th세미나 발표자료
55th세미나 발표자료
Kim Sjoon
 
Softwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan SahadviSoftwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan Sahadvi
AbuulHassan2
 
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Pôle Systematic Paris-Region
 
I software quality
I   software qualityI   software quality
I software quality
Fáber D. Giraldo
 
MydhiliVadlamaniCV
MydhiliVadlamaniCVMydhiliVadlamaniCV
MydhiliVadlamaniCV
Mydhili Vadlamani
 
Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...
PMI-Montréal
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
Saqib Raza
 
Qa
QaQa
Sqa
SqaSqa

What's hot (16)

ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??ISO 29119 and Software Testing - now what??
ISO 29119 and Software Testing - now what??
 
Shackelford Examples V1
Shackelford Examples V1Shackelford Examples V1
Shackelford Examples V1
 
ISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standardsISO 29119 -The new international software testing standards
ISO 29119 -The new international software testing standards
 
"ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with..."ISO 29119 - The New Set of International Standards on Software Testing" with...
"ISO 29119 - The New Set of International Standards on Software Testing" with...
 
CPU Verification
CPU VerificationCPU Verification
CPU Verification
 
Verification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathVerification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career Path
 
Basics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow DevicesBasics of Functional Verification - Arrow Devices
Basics of Functional Verification - Arrow Devices
 
55th세미나 발표자료
55th세미나 발표자료55th세미나 발표자료
55th세미나 발표자료
 
Softwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan SahadviSoftwarequalityassurance with Abu ul hassan Sahadvi
Softwarequalityassurance with Abu ul hassan Sahadvi
 
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
 
I software quality
I   software qualityI   software quality
I software quality
 
MydhiliVadlamaniCV
MydhiliVadlamaniCVMydhiliVadlamaniCV
MydhiliVadlamaniCV
 
Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...Aerospace Project Management : Non-Technical Requirements Management in the B...
Aerospace Project Management : Non-Technical Requirements Management in the B...
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
Qa
QaQa
Qa
 
Sqa
SqaSqa
Sqa
 

Similar to Towards creating an extension for patch management ISO/IEC 15408 &18045

EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
babak danyal
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
Perficient
 
Sanjay
SanjaySanjay
Sanjay
rehana00
 
Introduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformIntroduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure Platform
SZ Lin
 
Release Verification Team Proposal
Release Verification Team  ProposalRelease Verification Team  Proposal
Release Verification Team Proposal
Raghunath (Gautam) Soman
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
RppsKumar1
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
ghkadous
 
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Perficient
 
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdfLife cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
SohamChatterjee47
 
2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx
JohnLagman3
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
Venkat Janardhanam, MS, MBA
 
Comp8 unit5 lecture_slides
Comp8 unit5 lecture_slidesComp8 unit5 lecture_slides
Comp8 unit5 lecture_slides
CMDLMS
 
tip oopt pse-summit2017
tip oopt pse-summit2017tip oopt pse-summit2017
tip oopt pse-summit2017
domenico di mola
 
AiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 bAiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 b
AiTi Education
 
Software Process Models
Software Process ModelsSoftware Process Models
Software Process Models
Rody Middelkoop
 
Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008
Pete Schneider
 
Software Engineering : Process Models
Software Engineering : Process ModelsSoftware Engineering : Process Models
Software Engineering : Process Models
Ajit Nayak
 
Software life cycle
Software life cycleSoftware life cycle
Software life cycle
kingseif
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
YoussefElsamman
 

Similar to Towards creating an extension for patch management ISO/IEC 15408 &18045 (20)

EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2Se 381 -  lec 28 -- 34 - 12 jun12 - testing 1 of 2
Se 381 - lec 28 -- 34 - 12 jun12 - testing 1 of 2
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
 
Sanjay
SanjaySanjay
Sanjay
 
Introduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure PlatformIntroduction to Civil Infrastructure Platform
Introduction to Civil Infrastructure Platform
 
Release Verification Team Proposal
Release Verification Team  ProposalRelease Verification Team  Proposal
Release Verification Team Proposal
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
 
ISTQBCH2.ppt
ISTQBCH2.pptISTQBCH2.ppt
ISTQBCH2.ppt
 
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
Integrating Oracle Argus Safety with other Clinical Systems Using Argus Inter...
 
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdfLife cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
Life cycle models cccccccccccccccccccccccccccccccccccccccccccccccc.pdf
 
2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx2.-System-Development-Life-Cycle-report.pptx
2.-System-Development-Life-Cycle-report.pptx
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
 
Comp8 unit5 lecture_slides
Comp8 unit5 lecture_slidesComp8 unit5 lecture_slides
Comp8 unit5 lecture_slides
 
tip oopt pse-summit2017
tip oopt pse-summit2017tip oopt pse-summit2017
tip oopt pse-summit2017
 
AiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 bAiTi Education Software Testing Session 02 b
AiTi Education Software Testing Session 02 b
 
Software Process Models
Software Process ModelsSoftware Process Models
Software Process Models
 
Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008
 
Software Engineering : Process Models
Software Engineering : Process ModelsSoftware Engineering : Process Models
Software Engineering : Process Models
 
Software life cycle
Software life cycleSoftware life cycle
Software life cycle
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 

Recently uploaded

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 

Recently uploaded (20)

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 

Towards creating an extension for patch management ISO/IEC 15408 &18045

  • 1. Patch Management for ISO/IEC 15408 / Common Criteria Javier Tallón, jtsec Sebastian Fritsch, secuvera ICCC 17.11.2020
  • 2. • Overview – Background – Problem description: certification vs. security – ISO Project: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045 • Concept – ALC_PAM + SPD (for PAM) + (opt.) SFRs (for PAM) • Outlook – How to apply: practical considerations – Conclusions
  • 4. • Background – Product time to market • Continuous delivery • Vulnerabilities are made public and patched everyday • But certification is painfully slow – Hot topic during first study period at ISO SC27 (2017) • Very ambitious – Continuous assurance, & all kind of situations – A lot of new CC Concepts • Conclusions – Too difficult – Not enough experience – But real-world problem that needs to be solved
  • 5. • Background – Different approaches to Patch Management • Common Criteria – Classic: slow / IAR – JIL: base of our proposal / smartcards – ISCI WG1: same objectives / different approach • FIPS 140-2: 3ASUB / priority Q / templates • PCI-PTS: evaluated LC / trust by default • EMVCo: fast track
  • 7. • Problem description – Certified TOE with known vulnerabilities • risk owners need updates – But updates are not certified • costs, time for certification • only done if required by regulation – Problem not limited to Common Criteria/ISO 15408, but any other security product certification • relevant to any product certification with defined version
  • 8. • Problem description – CC compliant operation of TOEs often leads to • risk owner has to accept known vulnerabilities • but those were already fixed in a non-certified TOE update – Chances of this proposal • risk owner gets possibility to remove existing, known vulnerabilities • regulatory body can request risk owners to install updates to remove existing vulnerabilities • modernized tool to mandate the use of software which will be secure after certification but also later in the product lifecycle
  • 9. • Current status – Risk owner • demand for certificate of product (TOE) • but also for – security issue handling correction and – delivery of security updates – often called “support processes”
  • 10. • Other options “Perfect the testing so no many patches need to be installed” ATE_PERFECT.1
  • 12. • Concept A. Two (+one) building blocks 1. ALC_PAM – Evaluate the Patch Management Process as part of the standard evaluation (certification) 2. SPD (for PAM) – Common ground for all TOE types: SPD and adaptable Objectives 3. optional SFRs (for PAM) – Technical capabilities for applying patches – Generic solution (set of SFRs) – Other sets of SFRs might be equivalent, needed to support legacy/existing PPs B. Options for Certification Bodies
  • 13. • New family ALC_PAM • ALC_PAM.1 Patch Management Processes – key elements: • Security Impact Analysis Report (S-IAR) – Developer’s self-assessment of security relevance of a planned patch • Patch Management Policies – describes the mandatory procedures during patch release – rules when to re-certify or re-evaluate the TOE – end-of-support consideration of TOE – assessment and confirmation of the application of Patch Management Policies on a regular basis
  • 14. • Options for Certification Bodies …for optimization – Fast-Track Re-Certification – Re-Evaluation (without Certification) – Provide templates to support the analyse impact of changes of a patch – Trust by default developers in order to harmonize security and certification – Put penalties if developers do not follow the published rules
  • 15. • Timeline – 2º SP opened in September 2019 - Paris – Results of 2ºSP  Creation of a TR - St. Petersburg ISO meeting – 1st WD finalized by 19 of June 2020 – Heavy discussion – Warsaw ISO meeting – 2nd WD finalized by 18 of January 2021 – 2021 balloting of the 3rd WD • International support
  • 16. • Ongoing discussion in ISO for WD2 will be available January – “TOE and patch”: analyse the impact on other SARs • option 1: modify SARs (like in JIL documents) • option 2: add requirements to ALC_PAM – Create (adoptable) set of objectives • and make set of SFRs only an option – Set of SFRs: • use CC Part 2, or • create new SFRs (use ECD) – Terminology: ISO, JIL, GP, … terminology • find minimum conflicting terminology for different communities – Try to keep ALC_PAM mostly stable • but minor changes necessary
  • 17. How to apply: practical considerations
  • 18. • Current Working Draft of ISO Document – available here: https://www.jtsec.es/papers/Technical/Report_Patch_Management.pdf
  • 19. • Guide for ST/PP authors: – add Extended Component Definition (ALC_PAM.1) to ST – add Evaluator Work Unit to ST (or link referenced document) • both defined in ISO document – add Security Problem Definition (SPD) and Objectives (for Patches) to ST • defined in ISO document – add SFRs to ST • if applicable to TOE • otherwise modify SFRs, or take other set of SFRs
  • 20. • Prepare/Update Patch Management Processes – Check degree of implementation of existing Patch Management Processes • consider ALC_PAM.1 requirements – see also Guidance in ISO Document ( Annexes)
  • 21. • Developer perspective – Detailed Requirements – provide security patches until estimated end-of-support – for each patch/release: Security Impact Analysis Report (S-IAR) – update the evidence documentation used in the base evaluation – record decisions in the patch management process (transparency) – implement Patch Management Policy • communicate end-of-support • define content of patch release notes • mandatory procedures during patch release • self-assess and confirm the application of these policies • conditions for additional tests by ITSEF/lab before release
  • 22. • Evaluator perspective – What do I have to evaluate / look for? – As part of the ´common´ evaluation process • The set of SFRs chosen by the vendor solves the PAM SPD • The set of SFRs chosen by the vendor are adequately implemented (ATE/AVA) – As part of ALC_PAM • Content and presentation requirements – The process for patch release, including responsibilities – The secure use of cryptographic keys involved in patch generation • Evidence of application of PAM procedures and self-assessment – Through dry run – Sampling during a site visit
  • 23. • Pilot projects – secuvera runs first pilot of ALC_PAM evaluation in German CC scheme (BSI) with genua • Note: ALC_PAM version from the beginning of 2020
  • 24. • Conclusions – We are trying to solve a real world problem – We are doing it very fast! Balloting of the TR by Autumn’21 – International support – Multi community support – Accepted for trial use by the new EUCC opening the door to the Critical Update Flow
  • 25. Thank you! Vielen Dank! ¡Muchas Gracias! Sebastian Fritsch sfritsch@secuvera.de +49-7032/9758-24 secuvera GmbH Siedlerstraße 22-24 71126 Gäufelden/Stuttgart Germany Javier Tallón jtallon@jtsec.es +34-858981999 jtsec Beyond IT Security Avenida de la Constitución 20, 208 18012 Granada Spain