Security certification research highlighted at the International Common Criteria Conference

By Martin Ukrop

Common Criteria (CC) certification provides quantifiable levels of assurance that a technology product meets security expectations, which is critical for safety and regulatory compliance. CC is the widest available mutual recognition of secure IT products: a high-level CC certification provides independent verification that a product meets specific security requirements for highly sensitive computing environments. For both customers and vendors, the efficacy of certification frameworks like CC has a direct impact on their ability to address real-world security challenges.

In November 2024, Red Hat Research, Red Hat Security Compliance engineers headed by Vice President of Product Security Vincent Danen, and researchers from Masaryk University joined the International Common Criteria Conference (ICCC) in Qatar to discuss the ecosystem of security certifications, including current operations and trends and potential directions for efficiency and security improvements. 

Data-driven approaches to security

Complex products and systems, resource constraints, and a constant flood of new vulnerabilities can make vulnerability management feel impossible. Many regulatory frameworks, including Common Criteria, seek to verify that certified products do not contain known vulnerabilities, but the problem is not that simple. 

For example, since new vulnerabilities pop up all the time, evaluating and updating complex software products is challenging, taking a lot of time and money. Yet we know that not all vulnerabilities pose the same risk, and some vulnerabilities simply don’t matter. Shouldn’t we focus on really harmful and known exploitable vulnerabilities? That was the question posed by Vincent Danen’s keynote talk, “Vulnerability and compliance,” at ICCC.  As Danen pointed out, both the severity of impact and the risk of exploitation should factor into prioritizing how vulnerabilities are addressed. What if instead of patching everything, we invested in preventing serious vulnerabilities and elevating the overall security of certified products? This focus, Danen argued, would reduce risk to critical security systems while preventing the deceleration of innovation. (Slides from Danen’s keynote are available for review.)

Evaluating risk requires good, accessible data. The sec-certs project, demoed at ICCC, aims to provide a one-stop shop to explore the CC/FIPS 140 certification ecosystem and enable a data-driven approach to vulnerability management. The project aggregates and annotates certification data to allow unified searches, trend analyses, and investigation of vulnerabilities affecting certified products.  Researchers, vendors, certification labs, and certification agencies can search the full dataset of certification files enhanced with layers of metadata. Sec-certs is a fully open source project of the Centre for Research on Cryptography and Security (CROCS) at Masaryk University with support from Red Hat Research, and it is a part of the Cybersecurity Excellence Hub in Estonia and South Moravia (CHESS), which brings together a consortium of universities, private companies, government agencies, and NGOs to strengthen cybersecurity in the European Union. 

Making the certification ecosystem more transparent through tools like sec-certs benefits both security professionals and end users by fostering trust and accountability and by making it easier to verify the impact of certification on real-world security. Research like that done by Professor Vashek Matyas (Masaryk University), untangling the references among CC certified products, is made possible by the transparency sec-certs helps provide. As Matyas noted in his presentation at ICCC, enhancing certification documentation for automated processing would go a long way toward enabling this kind of analysis.  (Slides from Vashek Matyas’ presentation are available to review.)

Learn more

Interested in learning more about how Red Hat is supporting research into data-driven approaches to IT security? Reach out to Red Hat Principal Research Software Engineer Martin Ukrop and subscribe to the Red Hat Research Quarterly. You can find an introduction to sec-certs work in the RHRQ article “A data-driven approach for analyzing Common Criteria and FIPS 140 security certificates.”

CHESS is funded by the European Union under Grant Agreement No. 101087529. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.