Sec-certs: Mining issued Common Criteria and FIPS140-2 certificates
The security certification reports might be long but is also a trove of publicly available data about otherwise proprietary devices and other products otherwise available only under NDA. While downloading and reading a single certificate is easy, reasoning about the characteristics of the whole ecosystem now with more than ten thousand certified devices based on human-written documents is different.
Are there observable systematic differences between the Common Criteria and FIPS140-2 certificates? Can I quickly found if my device is using a certified component recently found vulnerable? And most importantly, can we measure and quantify if the whole process is actually increasing the security of the products being certificated?
The developed tool is publicly available at seccerts.org
Status
Research Area(s)
Contacts
Project Resources
Affiliations
Publications
Related RHRQ Articles
- Focus on trust | May 2024
- A data-driven approach for analyzing Common Criteria and FIPS 140 security certificates
- Publication highlights—November 2024
- Open source researchers in security and education win 2021 innovation awards
- Big data, security certification, and FPGAs: 2021 Red Hat Research Days have begun