Evolution of Common Criteria

5 Mar

Nexor have received Common Criteria certification for our Sentinel Product, as required by our customers. Common Criteria is a scheme that is both much criticised and undergoing evolution.

A positive element of Common Criteria is it ensures that developers have taken a robust approach to designing, developing, testing and shipping the product; this is fundamental to the development of any security product.

In the UK, CESG, have started to implement a scheme called Commercial Product Assurance (CPA), but does not yet have the same market visibility of Common Criteria. CPA extends the core principles of Common Criteria, and adds another vital element: deployment criteria. This is a set of recommendations of how the product should be deployed to achieve the claimed security mitigations. We have always taken this approach at Nexor, by working with the customer to ensure they implement the product in an appropriate way.

Another core aspect of CPA is the definition of security characteristics – this provides an agreed set of security controls and mitigations the product should provide. This addresses a criticism of common criteria whereby vendors define their own controls, so it is hard to compare the merits of similar products. The changes in Common Criteria towards protection profiles mirrors this. (The article “Achieve Cyber Security by Using Common Criteria Certification” gives a good overview of the evolution of Common Criteria.)

One of the remaining challenges is dealing with the dynamic nature of new threats that appear on a day to day basis. For Common Criteria this has been an issue, as soon as a product is modified, the certification is lost – or need retesting under a certification maintainance programme. CPA attempts to address this by validating that the developers processes are sufficiently robust to make modifications to the product without affecting the core security capability.

I look forward to the evolution of the CPA and Common Criteria schemes, both schemes enable providers like Nexor to demonstrate the lengths we go to, to ensure our products meet the highest possible standards of security.

What’s your view, do you look for 3rd party assurance when you buy security products? Please leave your comments below.

See Also

Secure By Design by Andrew Kays.

One Response to “Evolution of Common Criteria”


  1. Cyber Security: What To Check When Looking For A Provider - March 9, 2013

    […] Commercial Product Assurance in the UK (although they’re not perfect as the blog article The Evolution of Common Criteria outlines) to attest the product does what it claims to do (but check the claims carefully). These […]


Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: