Penetration Testing mailing list archives
Re: Common Criteria Evaluations
From: Richard Thomas <austindad () gmail com>
Date: Wed, 9 Sep 2009 12:13:24 -0500
Now that is a big question. One thing to consider is how much the vendor wants to pay for a CC validation. The higher the EAL, the more it will cost. As you examine products at the various EALs, you will notice that as the level increases, the product becomes less complex. Looking at the security target of a product will tell you what is in scope of the evaluation. The higher the EAL, the more assurance the product has. When a particular product acquires a validation certificate, the code of the product is locked. Any changes, e.g. service packs, must be evaluated in terms of the impact to any of the assurance claims made within the security target. Also be aware that products are evaluated in a specific configuration. If you are trying to achieve a given assurance level for your system, then first you would need to purchase the appropriate product at that level and then configure it and operate it in the same configuration as it was evaluated for the EAL to be in effect. If you are looking for the types of security controls in place at the various EALs, I would start at commoncriteriaportal.org. I hope this helps. Richard Thomas On Tue, Sep 8, 2009 at 4:43 AM, M.D.Mufambisi<mufambisi () gmail com> wrote:
Hi people. Im hoping someone here will be able to assist me. I have just been going through the common criteria evaluations. Of particular interest is the fact that Microsoft 2008 Server has an eavluation EAL1 yet XP SP2 has evaluation of EAL3. What does this mean with regards to security and functionality? Does a product get re-evaluated say when a service pack has been released? Are there particular instances where one specifically looks for software of a particular assurance level? Regards Munyaradzi Mufambisi ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Common Criteria Evaluations Richard Thomas (Sep 09)