Mining Issued Common Criteria and FIPS 140-2 Certificates – More Transparency for Developers, Vulnerability Researchers and Society
In this event, Petr Švenda from the Faculty of Informatics at Masaryk University in Brno featured a data-based insight into certification ecosystems with an open source tool for automatic analysis of publicly available certification reports.
Abstract
Security certification reports might be long, but they are also a trove of publicly available data about proprietary devices and other products otherwise available only under NDAs. While downloading and reading a single certificate is easy, reasoning about the characteristics of the whole ecosystem, which covers more than ten thousand certified devices based on human-written documents, is different. Are there observable systematic differences between the Common Criteria and FIPS 140-2 certificates? Can I quickly find out if my device is using a certified component recently found vulnerable? Most importantly, can we measure and quantify whether the whole process is actually increasing the security of the products being certificated? This talk address these questions using an open source tool for automatic analysis of publicly available certification reports, accompanied by catchy graphs.
Speaker: Petr Švenda, Faculty of Informatics, Masaryk University
For more information, contact brno-research@redhat.com
Session Recording