This document discusses developing a systematic approach for vulnerability analysis. It argues that the Common Criteria provides too generic of classifications and no methodology. A proper analysis requires attack patterns to think like attackers and a systematic, repeatable methodology. This involves using tools like vulnerability scanners, debuggers, and disassemblers along predefined test procedures and penetration testing agendas. An example analysis of a sample system is provided to demonstrate this approach. The lesson is that motivation and creativity are needed along with attack patterns and a well-defined methodology to achieve comprehensive vulnerability analysis.
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...Stefano Dalla Palma
These slides describe the paper of Henning Perl et. al. about a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. They combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work.
Let us delve upon the various skill levels or knowledge levels for the testing industry being designated as K-Levels.
What are K-Levels of knowledge?
K-Levels or “Knowledge Levels” basically refers to the prescription of an upper limit of skills or knowledge essential for a particular certification.
Hierarchy of K-Levels is described in globally recognized Bloom’s Texonomy of learning. Reaching a particular K-Level means that the individual has successfully achieved some measurable & meaningful objectives.
AVATAR : Fixing Semantic Bugs with Fix Patterns of Static Analysis ViolationsDongsun Kim
Fix pattern-based patch generation is a promising direction in Automated Program Repair (APR). Notably, it has been demonstrated to produce more acceptable and correct patches than the patches obtained with mutation operators through genetic programming. The performance of pattern-based APR systems, however, depends on the fix ingredients mined from fix changes in development histories. Unfortunately, collecting a reliable set of bug fixes in repositories can be challenging. In this paper, we propose to investigate the possibility in an APR scenario of leveraging code changes that address violations by static bug detection tools. To that end, we build the AVATAR APR system, which exploits fix patterns of static analysis violations as ingredients for patch generation. Evaluated on the Defects4J benchmark, we show that, assuming a perfect localization of faults, AVATAR can generate correct patches to fix 34/39 bugs. We further find that AVATAR yields performance metrics that are comparable to that of the closely-related approaches in the literature. While AVATAR outperforms many of the state-of-the- art pattern-based APR systems, it is mostly complementary to current approaches. Overall, our study highlights the relevance of static bug finding tools as indirect contributors of fix ingredients for addressing code defects identified with functional test cases.
High-Throughput Screening of mAb Charge Variants Using Microchip-CZEPerkinElmer, Inc.
This poster describes the development of a high-throughput microchip-CZE assay for profiling the charge variants of therapeutic mAbs.
Authors:
Tobias Wheeler, Lucy Sun, Rajendra Singh, Bahram Fathollahi and Hans Pirard
Affiliations:
PerkinElmer (Caliper), Alameda, CA, USA
For further information on the Microfluidics Technology (PerkinElmer) presented in this poster, please visit http://bit.ly/12j68ol
Chapter 10 Testing and Quality Assurance1Unders.docxketurahhazelhurst
Chapter 10:
Testing and Quality
Assurance
1
Understand quality & basic techniques for software verification and validation.
Analyze basics of software testing and testing techniques.
Discuss the concept of “inspection” process.
Objectives
2
Quality assurance (QA): activities designed
to measure and improve quality in a product— and process.
Quality control (QC): activities designed to validate and verify the quality of the product through detecting faults and “fixing” the defects.
Need good techniques, process, tools,
and team.
Testing Introduction
similar
3
Two traditional definitions:
Conforms to requirements.
Fit to use.
Verification: checking software conforms to
its requirements (did the software evolve
from the requirements properly; does the software “work”?)
Is the system correct?
Validation: checking software meets user requirements (fit to use)
Are we building the correct system?
What Is “Quality”?
4
Testing: executing program in a controlled environment and “verifying/validating” output.
Inspections and reviews.
Formal methods (proving software correct).
Static analysis detects “error-prone conditions.”
Some “Error-Detection” Techniques (finding errors)
5
Error: a mistake made by a programmer or software engineer that caused the fault, which in turn may cause a failure
Fault (defect, bug): condition that may cause a failure in the system
Failure (problem): inability of system to perform a function according to its spec due to some fault
Fault or failure/problem severity (based on consequences)
Fault or failure/problem priority (based on importance of developing a fix, which is in turn based
on severity)
Faults and Failures
6
Activity performed for:
Evaluating product quality
Improving products by identifying defects and having them fixed prior to software release
Dynamic (running-program) verification of program’s behavior on a finite set of test cases selected from execution domain.
Testing can NOT prove product works 100%—even though we use testing to demonstrate that parts of the software works.
Testing
Not always
done!
7
Who tests?
Programmers
Testers/Req. Analyst
Users
What is tested?
Unit code testing
Functional code testing
Integration/system testing
User interface testing
Testing (cont.)
Why test?
Acceptance (customer)
Conformance (std, laws, etc.)
Configuration (user vs. dev.)
Performance, stress, security, etc.
How (test cases designed)?
Intuition
Specification based (black box)
Code based (white box)
Existing cases (regression)
8
Progression of Testing
Equivalence Class Partitioning
Divide the input into several groups, deemed “equivalent” for purposes of finding errors.
Pick one “representative” for each class used for testing.
Equivalence classes determined by req./design specifications and some intuition
Example: pick “larger” of
two integers and . . .
Lessen duplication.
Complete coverage.
10
Suppose we have n distinct functional requirements.
Su ...
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives.
The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more.
During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.
Experiences evaluating cloud services and productsJavier Tallón
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...Stefano Dalla Palma
These slides describe the paper of Henning Perl et. al. about a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. They combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work.
Let us delve upon the various skill levels or knowledge levels for the testing industry being designated as K-Levels.
What are K-Levels of knowledge?
K-Levels or “Knowledge Levels” basically refers to the prescription of an upper limit of skills or knowledge essential for a particular certification.
Hierarchy of K-Levels is described in globally recognized Bloom’s Texonomy of learning. Reaching a particular K-Level means that the individual has successfully achieved some measurable & meaningful objectives.
AVATAR : Fixing Semantic Bugs with Fix Patterns of Static Analysis ViolationsDongsun Kim
Fix pattern-based patch generation is a promising direction in Automated Program Repair (APR). Notably, it has been demonstrated to produce more acceptable and correct patches than the patches obtained with mutation operators through genetic programming. The performance of pattern-based APR systems, however, depends on the fix ingredients mined from fix changes in development histories. Unfortunately, collecting a reliable set of bug fixes in repositories can be challenging. In this paper, we propose to investigate the possibility in an APR scenario of leveraging code changes that address violations by static bug detection tools. To that end, we build the AVATAR APR system, which exploits fix patterns of static analysis violations as ingredients for patch generation. Evaluated on the Defects4J benchmark, we show that, assuming a perfect localization of faults, AVATAR can generate correct patches to fix 34/39 bugs. We further find that AVATAR yields performance metrics that are comparable to that of the closely-related approaches in the literature. While AVATAR outperforms many of the state-of-the- art pattern-based APR systems, it is mostly complementary to current approaches. Overall, our study highlights the relevance of static bug finding tools as indirect contributors of fix ingredients for addressing code defects identified with functional test cases.
High-Throughput Screening of mAb Charge Variants Using Microchip-CZEPerkinElmer, Inc.
This poster describes the development of a high-throughput microchip-CZE assay for profiling the charge variants of therapeutic mAbs.
Authors:
Tobias Wheeler, Lucy Sun, Rajendra Singh, Bahram Fathollahi and Hans Pirard
Affiliations:
PerkinElmer (Caliper), Alameda, CA, USA
For further information on the Microfluidics Technology (PerkinElmer) presented in this poster, please visit http://bit.ly/12j68ol
Chapter 10 Testing and Quality Assurance1Unders.docxketurahhazelhurst
Chapter 10:
Testing and Quality
Assurance
1
Understand quality & basic techniques for software verification and validation.
Analyze basics of software testing and testing techniques.
Discuss the concept of “inspection” process.
Objectives
2
Quality assurance (QA): activities designed
to measure and improve quality in a product— and process.
Quality control (QC): activities designed to validate and verify the quality of the product through detecting faults and “fixing” the defects.
Need good techniques, process, tools,
and team.
Testing Introduction
similar
3
Two traditional definitions:
Conforms to requirements.
Fit to use.
Verification: checking software conforms to
its requirements (did the software evolve
from the requirements properly; does the software “work”?)
Is the system correct?
Validation: checking software meets user requirements (fit to use)
Are we building the correct system?
What Is “Quality”?
4
Testing: executing program in a controlled environment and “verifying/validating” output.
Inspections and reviews.
Formal methods (proving software correct).
Static analysis detects “error-prone conditions.”
Some “Error-Detection” Techniques (finding errors)
5
Error: a mistake made by a programmer or software engineer that caused the fault, which in turn may cause a failure
Fault (defect, bug): condition that may cause a failure in the system
Failure (problem): inability of system to perform a function according to its spec due to some fault
Fault or failure/problem severity (based on consequences)
Fault or failure/problem priority (based on importance of developing a fix, which is in turn based
on severity)
Faults and Failures
6
Activity performed for:
Evaluating product quality
Improving products by identifying defects and having them fixed prior to software release
Dynamic (running-program) verification of program’s behavior on a finite set of test cases selected from execution domain.
Testing can NOT prove product works 100%—even though we use testing to demonstrate that parts of the software works.
Testing
Not always
done!
7
Who tests?
Programmers
Testers/Req. Analyst
Users
What is tested?
Unit code testing
Functional code testing
Integration/system testing
User interface testing
Testing (cont.)
Why test?
Acceptance (customer)
Conformance (std, laws, etc.)
Configuration (user vs. dev.)
Performance, stress, security, etc.
How (test cases designed)?
Intuition
Specification based (black box)
Code based (white box)
Existing cases (regression)
8
Progression of Testing
Equivalence Class Partitioning
Divide the input into several groups, deemed “equivalent” for purposes of finding errors.
Pick one “representative” for each class used for testing.
Equivalence classes determined by req./design specifications and some intuition
Example: pick “larger” of
two integers and . . .
Lessen duplication.
Complete coverage.
10
Suppose we have n distinct functional requirements.
Su ...
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros.
El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014.
Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc.
La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones.
jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores.
La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives.
The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more.
During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.
Experiences evaluating cloud services and productsJavier Tallón
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
Checkpoint Technologies, empresa a la que hemos ayudado a certificar/cualificar varios de sus soluciones con el fin de formar parte del catálogo CPSTIC / CCN STIC-105, nos invitó como ponentes a este webinar en el que tuvimos la oportunidad de explicar lo siguientes puntos:
• Introducción al Centro Criptológico Nacional (CC) y el Esquema Nacional de Seguridad (ENS)
• En qué consiste el Catálogo de Productos y Servicios de Seguridad de las Tecnologías de la Información y la Comunicación (CPSTIC)
• Beneficios de la certificación/cualificación de una solución y el cumplimiento del ENS para tu organización y principales
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives.
This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.
Seguro que has visto cómo cada vez más sectores como la banca o los seguros permiten abrir cuentas legalmente vinculadas sin la intervención (a priori) de un operador humano gracias a procesos de videoidentificación, pero, ¿te has preguntado qué tan seguros son?
El Ministerio de Asuntos Económicos y Transformación Digital, en el BOE núm. 115, de 14 de mayo de 2021 y con motivo de la emergencia sanitaria generada por la crisis de la COVID-19, regulaba los métodos de identificación remota por vídeo para la expedición de certificados electrónicos cualificados, lo que obliga a los prestadores de este tipo de servicios a validar sus soluciones en los términos que establece el anexo F11 de la Guía CCN-STIC-140, del Centro Criptológico Nacional.
Dicho anexo requiere que un laboratorio acreditado realice ataques de presentación a este tipo de soluciones para verificar su resistencia a técnicas como máscaras hiperrealistas, deepfake o contouring. Durante esta charla ahondaremos en los detalles técnicos de dichos ataques, y te contaremos cómo hemos conseguido inyectar vídeo en muchas de estas soluciones.
Evolucionado la evaluación CriptográficaJavier Tallón
El uso de módulos criptográficos para proteger información sensible en productos hardware, software y firmware es cada vez más extendido. Por ello CCN, desarrolló en su Guía de Seguridad de las TIC CCN-STIC 2002 un Módulo de Evaluación Criptográfico (MEC) que se aplica a diferentes soluciones que implementan algoritmos criptográficos. Este módulo sirve de referencia en numerosas evaluaciones bajo la metodología LINCE en las que se aplica de forma adicional.
Debido al aumento cada vez mayor de requisitos criptográficos, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas.
El objetivo de la metodología criptográfica es el de establecer un marco común para llevar a cabo las evaluaciones criptográficas de los TOEs que van a ser evaluados para la obtención de un certificado Common Criteria, LINCE con validación criptográfica o STIC con validación Criptográfica.
En esta charla se presentará la nueva aproximación para evaluar la criptografía en España según la metodología creada conjuntamente por CCN y jtsec. Además, mostraremos la herramienta creada para verificar la conformidad de las primitivas criptográficas. Esta ponencia será especialmente útil para los desarrolladores de productos que conocerán los requisitos que se pedirán a partir de ahora.
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
El desarrollo de productos creados directamente en la nube (cloud nativo) es una práctica cada vez más extendida en la industria. La administración española no escapa a esa tendencia y es cada vez más habitual las migraciones a la nube. El despliegue y gestionado se realiza en la nube y normalmente son desarrollos en constante evolución, permitiendo a los fabricantes más flexibilidad para la continua mejora de sus productos.
Ante el continuo incremento de productos desarrollados en la nube, en febrero de 2020, el CCN publicaba el Anexo G de la “Guía de Seguridad de las TIC CCN-STIC 140” para la Taxonomía de productos de STIC - Servicios en la nube, donde se reflejan los Requisitos Fundamentales de Seguridad (RFS) para este tipo de servicios, considerándose requisitos adicionales que complementan a los requisitos definidos para cada una de las familias de productos. Una guía pionera a nivel internacional para la evaluación de servicios cloud, por lo que cabe destacar que España es el primer país en crear una metodología de evaluación para este tipo de servicios. Normalmente las evaluaciones en la nube, se centran en la gestión e infraestructura del servicio/producto dejando de lado la funcionalidad de seguridad implementada por el mismo.
En las evaluaciones de ciberseguridad, existe la particularidad de que estos servicios/productos no pueden ser completamente controlados/instalados en el laboratorio a la hora de realizar la evaluación, por lo que no se puede certificar usando las metodologías LINCE o Common Criteria. Este problema existe a nivel internacional.
Para solventar esta casuística, CCN diseño una estrategia de evaluación de servicios en la nube mediante evaluaciones STIC complementarias haciendo uso de la metodología LINCE.
Esta vía ha permitido la cualificación en el catálogo CPSTIC / CCN-STIC 105 de servicios en la nube. A día de hoy, hay 6 servicios en la nube incluidos en el catálogo CPSTIC. Todos ellos han sido evaluados por jtsec.
En jtsec nos hemos tenido que adaptar tecnológicamente para afrontar este tipo de evaluaciones, puesto que alrededor del 70% de evaluaciones iniciadas en 2022 por jtsec corresponden a servicios en la nube.
La charla describirá las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pondrá de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.
EUCA 22 - Let's harmonize labs competence ISO 19896Javier Tallón
Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community.
At ISO level, a new standard has been approved aiming to support this goal: ISO 19896.
ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations.
The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk.
Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).
Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products.
For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it’s supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable.
This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission).
The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
Incluir productos y servicios en el catálogo de ciberseguridad de referencia para la Administración Pública no resulta sencillo.
Se ha de superar una evaluación LINCE o Common Criteria para poder acceder a dicho catálogo.
En el catálogo CPSTIC se pueden incluir tanto para soluciones on premise como en la nube, siendo una gran ventaja para aquellos desarrolladores cloud native.
En esta presentación explicamos las diferentes maneras de incluir una solución en el catálogo CPSTIC, así como los pasos a seguir.
Is Automation Necessary for the CC Survival?Javier Tallón
The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common Criteria evaluations, both by laboratories and by the Certification Bodies, is limited. The automation of certain processes through the use of tools created specifically for this purpose is seen as the only possible way to speed up the process, both in terms of time and workload. How will the use of tools affect the immediate future of the different stakeholders in Common Criteria? Will automation lead to an increase in the number of certifications and the possibility that more companies will be able to become certified?
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process.
CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC.
In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top?
This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
Artículo publicado en la edición nº 148 de la Revista SIC, donde presentamos la herramientas que estamos desarrollando, pionera en el mercado.
CCCAB es un proyecto financiado por la Comisión Europea en el marco del programa Connecting Europe Faciclity (CEF), que permite ahorrar tiempo y esfuerzo a los CABs (Certification Assessments Bodies), aligerando su carga de trabajo para optimizar la fase de certificación.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
2. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
2
3. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
3
4. 1. Vulnerability Analysis according to CEM
The evaluator vulnerability analysis is to determine that the TOE is
resistant to penetration attacks performed by an attacker
possessing a Basic (for AVA_VAN.1 and AVA_VAN.2), Enhanced-
Basic (for AVA_VAN.3), Moderate (for AVA_VAN.4) or High (for
AVA_VAN.5) attack potential.
Independent vulnerability analysis should consider generic potential
vulnerabilities under each of the following headings
• Bypassing
• Tampering
• Direct attacks
• Monitoring
• Misuse
4
5. 1. Vulnerability Analisys according to CEM
Due to the generic nature of the Common
Criteria, this classification is too abstract
and does not help to achieve the required
completeness to the evaluator’s work.
CEM classification is useless by itself
5
6. 1. Vulnerability Analisys according to CEM
From AVA_VAN.4, vulnerability analysis should be METHODICAL:
“This method requires the evaluator to specify the structure and form the
analysis will take”
CEM ask for a methodical analysis but does not provide any method.
Every method would be acceptable
6
7. 1. Vulnerability Analisys according to CEM
Very generic
+ =
Poor
vulnerability Undefined Vulnerability
classification methodology Analisys
7
8. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
8
9. 2. Pieces for a correct Vulnerability Analysis
Here is the question…
How to achieve completeness in a systematic
way?
We will focus in software assessment
9
10. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
10
11. 2.1 Attack Patterns
Vs
Very generic
vulnerability Attack Patterns
classification
Thinking like bad guys
11
12. 2.1 Attack Patterns
Attack Pattern: an attack pattern describes
the approach used by attackers to generate
an exploit against software.
For example: MITRE provides CAPEC
(Common Attack Pattern Enumeration and
Classification)
12
14. 2.1 Attack Patterns
CAPEC provides a free collection of attack
patterns
CAPEC is not the panacea
Each lab should manage its own attack
pattern collection
14
16. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
16
17. 2.2 Systematic and Repeatable Methodology
Systematic and
Undefined
Methodology
Vs Repeatable
Methodology
17
18. ADV_ARC
AGD ASE_SPD
ALC ATE ADV_TDS
Misuse Deliv. Vuln. Malfunction Attack Path
Vulnerability scanners
Forensic analysis
Disassemblers
Debuggers
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Systematic and
+ Bespoke
Lab Tools + Lab
Know How = Repeatable
Methodology
19. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
19
20. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
20
25. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
25
26. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Bespoke
Lab
+ Lab
Tools + Know How
26
27. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Bespoke
Lab
+ Lab
Tools + Know How
27
28. ADV_ARC
AGD ASE_SPD
ALC ATE ADV_TDS
Misuse Deliv. Vuln. Malfunction Attack Path
Vulnerability scanners
Forensic analysis
Disassemblers
Debuggers
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Systematic and
+ Bespoke
Lab Tools + Lab
Know How = Repeatable
Methodology
29. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
29
30. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
30
31. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
Sniffing Attacks
Man in the Middle
Denial of Service through Resource Depletion
31
32. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
Detect Unpublicized Web Services
Web Services Protocol Manipulation
32
33. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
XML Routing Detour Attacks Oversized Payloads Sent to XML Parsers
XEE (XML Entity Expansion) XML Ping of Death XML Schema Poisoning
XML Attribute Blowup XML Injection
Recursive Payloads Sent to XML Parsers 33
34. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
Authentication Bypass Password Brute Forcing
Authentication Abuse
Try Common (default) Usernames and Passwords
Reflection Attack in Authentication Protocol
Exploitation of Session Variables, Resource IDs and other Dictionary-based Password Attack
Trusted Credentials 34
35. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
SQL Injection
Blind SQL Injection
35
36. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
36