Red Hat Research @ ICCC 2024
At the beginning of November 2024, Red Hat Research joins forces with Red Hat Product Security and Masaryk University researchers to present at The International Common Criteria Conference (ICCC) in Doha, Qatar. The delegation will discuss how the ecosystem of security certifications, its current operations, trends and potential directions for efficiency and security improvements.
Security certifications, such as Common Criteria (CC) or Federal Information Processing Standard 140 (FIPS 140), aim to ensure the security of the critical components, from secure hardware (for example: a credit card) to complex software (for example: Red Hat Enterprise Linux). However, the flow from preparing certification documentation via validation by an independent certification lab to the formal assignment of the security certification is complex, sometimes clumsy and oftentimes not transparent enough. Although everything has its flaws, in this case we have to make sure this is not at the expense of the security of the final products.
At the conference, Vincent Danen, the Vice President of Product Security at Red Hat will talk about the real-world issues of vulnerability management within compliance. Vashek Matyas, a Professor of Masaryk University, will talk about insights of the whole Common Criteria ecosystem seen by his research group. In parallel with the talks and panel discussions, the Red Hat booth in the exhibition space will present the sec-certs project – a unique open source tool that allows anyone to explore the certification ecosystem trends and gain deep insights.
Industry Keynote: Vulnerability Management and Compliance
Vincent Danen, Vice President of Product Security, Red Hat
Certified products do not contain known vulnerabilities is a common theme for many regulatory frameworks including Common Criteria. As new vulnerabilities pop up all the time, it makes evaluations of complex software products challenging. The question to raise is: Do all vulnerabilities pose the same risk? Some vulnerabilities simply don’t matter. Shouldn’t we focus on really harmful and known exploitable vulnerabilities? Instead of patching everything, shouldn’t we invest in preventing these serious vulnerabilities and elevate the overall security of certified products? This talk will cover what kinds of vulnerabilities pose risks and other areas that deserve our focus to actually reduce risk to national security systems and prevent the deceleration of innovation.
Enhancing Transparency: Insights From the Common Criteria Certification Ecosystem
Vashek Matyas, Professor, Masaryk University
The study of the Common Criteria ecosystem, involving over 5,700 certified products and aided by the analytical tool sec-certs, unveils compelling findings. Notably, 61% of smartcard-related items have certified dependencies, while only 3% of smartcard-unrelated products do. Critical components relied upon by over 10% of the ecosystem are identified, highlighting potential issues with references to archived certificates. The transparent approach fosters trust and accountability, benefiting all stakeholders. The talk will discuss overcoming obstacles to automated processing and suggest enhancements for certification document preparation to bolster transparency.
Booth: Demo of the sec-certs tool
Red Hat associates, sec-certs project research team
The sec-certs project (sec-certs.org, Red Hat Research profile) is a collaborative effort between the Centre for Research on Cryptography and Security at Masaryk University (Czechia) and Red Hat Research. It aims to create a common place for explore the Common Criteria and FIPS 140-2/3 certification ecosystems. Researchers as well as professionals from vendors, certification labs or certification agencies can search over the full dataset of certification files enhanced with layers of metadata, investigating ecosystem trends, certificate references, using mapping of certificates to CVEs and other features. The project is fully open source and openly provides all the underlying data.
About ICCC
The International Common Criteria Conference is the leading forum for the community of professionals involved in Common Criteria (CC), the widest available mutual recognition of secure IT products. ICCC is a high-level technical conference, a forum for discussion on the policy and application of CC, and a professional networking opportunity for those in charge of specification, development, evaluation, certification and approval with regard to the IT security of products and systems. The three day conference program will feature government and industry experts from across the international Common Criteria community.
About Red Hat Research
Red Hat Research connects Red Hat engineers with professors, researchers, and students to bring great research ideas into open source communities. Our activities around the world have produced grants from government and industry, papers at top conferences, and results that have landed in open source projects of all kinds. Red Hat Research welcomes participation from research-minded individuals around the world.