Is Automation Necessary for the CC Survival?

•

0 j'aime•15 vues

The use of different automation tools in Common Criteria is a reality. In recent years, it has been demonstrated that the capacity to take on a large number of Common Criteria evaluations, both by laboratories and by the Certification Bodies, is limited. The automation of certain processes through the use of tools created specifically for this purpose is seen as the only possible way to speed up the process, both in terms of time and workload. How will the use of tools affect the immediate future of the different stakeholders in Common Criteria? Will automation lead to an increase in the number of certifications and the possibility that more companies will be able to become certified?

Technologie

❑ José Ruiz
❑ Co-Director at jtsec Beyond IT Security
❑ Kevin Gallicchio
Technical Leader, NIAP
MODERATOR
PANELISTS
❑ Lachlan Turner
Director Consulting, Lightship Security
❑ Alexander Krumeich
Head of Certification/Senior Software Developer, CGM
❑ Pascal Van Gimst
Vice President Global Services Sales and Business Development, Riscure

❑ Alexander Krumeich
• Job Software Developer, Certification Specialist
• Company CompuGroup Medical Deutschland
• CC EAL 3+ for KoCoBox MED+ since 2015
• Background Java, Unix, LaTeX, DevOps
• Automation Project Developing n-doc
CGM Deutschland AG, Cologne, Germany

In development
since 2017
Deployed in
customer and in-
house projects
Published in 2020
as Open Source
Software under
MIT license.
High-Quality,
hyperlinked PDF
Documents
Adaptable to
different
certification
schemes

n-docKey features
TOE model in a relational database
as typesetting tool
Best practices of software engineering

Continuous Delivery of Documents
Authors/Editors
• edit
document
sources
• use tools in
Docker
container
git (GitLab)
• provides
version
control
• enables
collaboration
Jenkins
• runs LaTeX
• creates PDF
• generates
static web site
for Intranet
nextCloud
• Document
Handover to
Lab
Automation

=> CC can learn a lot from software engineering:
Automation comes natural to software engineers
Pain Points (developer Perspective)
=> Automation not only saves time but ensures reliability:
fewer manual, error-prone tasks
Insufficient/Incompatible tooling mandated by enterprise
policies and ALC
• ALC restrictions prevent using cloud-based tools such as bug trackers
• Office documents are sent by email, all processing is manual
• Developers/Labs/CABs rely on decades-old, outdated Office templates
• Software Developers are not necessarily familiar with Office tools

Contenu connexe

Similaire à Is Automation Necessary for the CC Survival?

Controlled Evolution with Puppet and AWS

Puppet

DevOps e a transformação digital de aplicações

Ramon Durães

General presentation - Bitcraft

Kamila Katyal

OPENING KEYNOTE: The Cloud Native Computing Foundation (CNCF) is an open source software foundation dedicated to making cloud native computing universal and sustainable. With over 300 members including the world’s largest public cloud and enterprise software companies, Alexis Richardson, CEO of Weaveworks and chair of the CNCF Technical Oversight Committee will walk you through some success stories, and why cloud native is the way forward. You’ll learn why Kubernetes and other CNCF projects have some of the fastest adoption rates in the history of open source, and how this is only the beginning. Alexis will then show how you can increase speed and reliability in your development workflows even further by using the GitOps model, which has been developed at Weaveworks. You’ll learn about the core concepts of GitOps, including customer success stories, and how you can benefit from using this model.

Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...

Weaveworks

One of the biggest advantages Kubernetes has to offer is that it is agnostic to infrastructure and capable of managing diverse workloads running on different compute resources. This allows organizations to manage multiple developer platforms, who can operate across many environments such as on premise, hybrid and multiple clouds. Streamlined processes and automation is pivotal for operations when managing clusters at scale and maintaining security and policy checks. Paul Curtis, Principal Solutions Architect will demonstrate GitOps and Weave Kubernetes Platform in a hybrid and multi-cloud setup. Learn how to: Use model-driven automation to increases reliability and stability across environments Simplify multi-cluster management with GitOps Enable developers to push code to production daily (self-service) Improve utilization and capacity management through Kubernetes platforms on cloud and on-premise infrastructure

Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps

Sonja Schweigert

Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps

Weaveworks

DevOps has evolved over these years and has presented us with a new set of challenges. We have more tools and complexity. This presentation will walk you thought - * How we tackle the explosion of tools and complexity and add more value to business * How platforms can help * What challenge we face when we build a platform from scratch * How a joint solution from Canonical MicroK8s and gopaddle can help.

Efficient platform engineering with Microk8s & gopaddle.pdf

Vinothini Raju

When you have to say ""YES"" to everything, what does that really mean? The Boston Consulting Group (BCG) is a global management consulting firm that advises industry leading companies on value creation strategies, innovation, transformation, supply chain management and much more. BCG provides recommendations and analytics that are custom tailored to the needs of each client. To do this BCG is transforming what used to be presentations and manual models into software that is prototyped and distributed to their client to run on their infrastructure - in effect changing the way BCG delivers value. However the productization process poses unique challenges and opportunities. Their clients have every type of infrastructure and application stack within their IT environments, how can BCG ensure that the custom built analytics applications will operate well at scale in their client's production environment - especially when it is an environment that they don't control? The bespoke nature of the BCG business led the team to embark on an engineering led journey to containerization with Docker. Attend this session to learn more about the approach, challenges and how BCG is enabling transformation with Docker Enterprise Edition.

The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...

Docker, Inc.

Brainstack Technology is a service based tech start which offers great services in the field of DevOps,Cloud services,machine learning,IoT and software testing. We have partnered with start-ups,government and telecom companies to deliver some great solutions. Our aim is to deliver the complete range of technology services starting from ideation to execution, thus enabling our global clients to outperform the competition.

Brainstack offerings

Brainstack Technologies

apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...

apidays

AWS live hack: Docker + Snyk Container on AWS

Eric Smalling

Google Cloud Fundamentals by CloudZone

Idan Tohami

Controlled Evolution with Puppet and AWS

Puppet

Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...

Vietnam Open Infrastructure User Group

Even though you’re a small startup or medium-sized business and just beginning your product journey, it doesn’t mean you can’t have a robust and scalable DevOps environment like the enterprise experts. It is always a good practice when building a startup or a new company to have a solid foundation and start implementing efficient and scalable solutions early. Join and learn how having a limited budget doesn’t mean you can’t have enterprise quality tools.

Enterprise-Grade DevOps Solutions for a Start Up Budget

DevOps.com

.NetKS Catalogue

Przemysław Ładyński

Intro to DevOps 4 undergraduates

Liran Levy

Dev ops presentation

Ahmed Kamel

Compuware and CloudBees demonstrate how you can apply modern DevOps practices to your mainframe applications using Compuware ISPW and Topaz for Total Test with CloudBees Jenkins. Compuware Product Manager Steve Kansa and CloudBees DevOps Evangelist Brian Dawson will: - Position the mainframe as part of your DevOps and CI/CD journey - Explain how Jenkins automates mainframe source code management and testing - Demo a CI/CD workflow on a COBOL application Watch the full presentation on YouTube: https://www.youtube.com/watch?v=x4MWrPy3bKM.

Enterprise DevOps and the Modern Mainframe Webcast Presentation

Compuware

API Gitlab, risparmia tempo nella configurazione dei progetti. Emerasoft presenta il primo meetup in italiano su Gitlab - 30 minuti - in cui ci focalizzeremo sull'utilizzo delle API per la configurazione dei progetti Gitlab. Sabrina presenterà l'applicazione Web Gitlab raccontando la nostra esperienza nella configurazione di nuovi progetti utilizzando l'API Gitlab. Agenda: - Gitlab Intro - Funzionalità dell'ultima versione - Caso d'uso su API Gitlab (Utenti, Gruppi, Progetti) Vuoi saperne di più? Unisciti al Gitlab Meetup Milano: https://www.meetup.com/it-IT/Gitlab-Meetup-Milano/ o scrivici all'indirizzo gitlab@emerasoft.com

Api gitlab: configurazione dei progetti as a service

Emerasoft, solutions to collaborate

Similaire à Is Automation Necessary for the CC Survival? (20)

Controlled Evolution with Puppet and AWS

DevOps e a transformação digital de aplicações

General presentation - Bitcraft

Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...

Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps

Efficient platform engineering with Microk8s & gopaddle.pdf

The Complexity to "Yes" in Analytics Software and the Possibilities with Dock...

Brainstack offerings

apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...

AWS live hack: Docker + Snyk Container on AWS

Google Cloud Fundamentals by CloudZone

Controlled Evolution with Puppet and AWS

Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...

Enterprise-Grade DevOps Solutions for a Start Up Budget

.NetKS Catalogue

Intro to DevOps 4 undergraduates

Dev ops presentation

Enterprise DevOps and the Modern Mainframe Webcast Presentation

Api gitlab: configurazione dei progetti as a service

Plus de Javier Tallón

A ningún fabricante le es ajeno que los requisitos criptográficos a la hora de desarrollar cualquier producto son cada vez mayores. Por ello, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas aplicados a la metodología LINCE. En esta charla explicaremos las principales novedades introducidas en la Metodología de Evaluación de Mecanismos Criptográficos presentada el año pasado, así como la definición de la nueva Metodología de Evaluación Criptográfica conforme a la CCN STIC-130.

Evolucionando la evaluación criptográfica - Episodio II

Javier Tallón

En la actualidad existe un gran número de soluciones biométricas en el mercado, que se aplican cada vez más en sectores clave como la banca, la administración pública y los seguros. El Ministerio de Asuntos Económicos y Transformación Digital publicó la primera orden ministerial, en el BOE núm. 115, de 14 de mayo de 2021, que regula los métodos de videoidentificación a distancia para la emisión de certificados electrónicos reconocidos. A raíz de esta legislación, el CCN, desarrolló un módulo de evaluación biométrica (MEB), que permite la evaluación de soluciones biométricas tanto para la metodología LINCE como para Common Criteria siguiendo la guía IT-014. Durante la charla se explica cómo se aplica la guía IT-014 y los diferentes tipos de ataques de presentación que contempla; impostor, mediante vídeos, mediante máscaras, mediante herramientas deepfake, etc. La charla es eminentemente técnica y mostrará ejemplos de ataques reales ejecutados durante las evaluaciones. jtsec, con su experiencia en las primeras evaluaciones de soluciones biométricas, ofrecerá una visión general de cómo se han llevado a cabo dichas evaluaciones y los tipos de ataques más difíciles de mitigar para los proveedores. La charla describe las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pone de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.

Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...

Javier Tallón

As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.

ICCC2023 Statistics Report, has Common Criteria reached its peak?

Javier Tallón

The use of cryptographic primitives to safeguard sensitive information in hardware, software, and firmware products is witnessing widespread adoption. Recognizing the increasing cryptographic requirements, CCN (Certification Body for National Cryptology) has developed a methodology in collaboration with jtsec. This methodology encompasses conformance testing, identification of common implementation pitfalls, and implementation requirements for cryptographic primitives. The primary objective of this cryptographic methodology is to establish a standardized framework for conducting cryptographic evaluations of Target of Evaluations (TOEs). These evaluations aim to obtain Common Criteria certificates and other certifications. The methodology specifically targets products in which cryptographic mechanisms form a crucial part of their core functionality, such as VPNs, HSMs, ciphers, communication apps, and more. During the talk, the speakers will introduce the new approach to evaluate cryptography in Spain, following the jointly created methodology by CCN and jtsec. They will also demonstrate a tool designed to verify the compliance of cryptographic primitives. This presentation will be particularly beneficial for product developers, as they will learn about the requirements that will be demanded in Spain going forward. It will also be of interest to other Certification Bodies (CBs) who may find this methodology and tool valuable in their own evaluations.

ICCC23 -The new cryptographic evaluation methodology created by CCN

Javier Tallón

The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed. Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions. This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards. But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs. To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes. In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…). We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.

Experiences evaluating cloud services and products

Javier Tallón

Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market. Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.

TAICS - Cybersecurity Certification for European Market.pptx

Javier Tallón

Checkpoint Technologies, empresa a la que hemos ayudado a certificar/cualificar varios de sus soluciones con el fin de formar parte del catálogo CPSTIC / CCN STIC-105, nos invitó como ponentes a este webinar en el que tuvimos la oportunidad de explicar lo siguientes puntos: • Introducción al Centro Criptológico Nacional (CC) y el Esquema Nacional de Seguridad (ENS) • En qué consiste el Catálogo de Productos y Servicios de Seguridad de las Tecnologías de la Información y la Comunicación (CPSTIC) • Beneficios de la certificación/cualificación de una solución y el cumplimiento del ENS para tu organización y principales

La ventaja de implementar una solución de ciberseguridad certificada por el C...

Javier Tallón

The draft of the URWP (Union Rolling Work Programme) of the European commission suggests a European Crypto Scheme as one of the potential schemes to be created under the CSA. The use of cryptographic modules to protect sensitive information in hardware, software and firmware products is becoming increasingly widespread. Until now, there has been a reference methodology for cryptographic evaluation at international level, FIPS 140-3. Nonetheless, at the SOG-IS level, there have been efforts to harmonize evaluations in Europe. The publication of the SOGIS Agreed Cryptographic Mechanisms or the SOGIS Harmonised cryptographic Evaluation Procedures show the efforts conducted in Europe during the last years. However, the pandemic situation has slowed down the progress. This talk will present the new approach to evaluate cryptography in Spain according to the methodology created jointly by CCN (Spanish CB) and jtsec, which could serve as a base for a potential European scheme. In addition, this talk will show the tool created to verify the conformance of cryptographic primitives. This presentation will be especially useful for schemes and government entities to check if the approach could fit their needs.

EUCA23 - Evolution of cryptographic evaluation in Europe.pdf

Javier Tallón

Seguro que has visto cómo cada vez más sectores como la banca o los seguros permiten abrir cuentas legalmente vinculadas sin la intervención (a priori) de un operador humano gracias a procesos de videoidentificación, pero, ¿te has preguntado qué tan seguros son? El Ministerio de Asuntos Económicos y Transformación Digital, en el BOE núm. 115, de 14 de mayo de 2021 y con motivo de la emergencia sanitaria generada por la crisis de la COVID-19, regulaba los métodos de identificación remota por vídeo para la expedición de certificados electrónicos cualificados, lo que obliga a los prestadores de este tipo de servicios a validar sus soluciones en los términos que establece el anexo F11 de la Guía CCN-STIC-140, del Centro Criptológico Nacional. Dicho anexo requiere que un laboratorio acreditado realice ataques de presentación a este tipo de soluciones para verificar su resistencia a técnicas como máscaras hiperrealistas, deepfake o contouring. Durante esta charla ahondaremos en los detalles técnicos de dichos ataques, y te contaremos cómo hemos conseguido inyectar vídeo en muchas de estas soluciones.

Hacking your jeta.pdf

Javier Tallón

El uso de módulos criptográficos para proteger información sensible en productos hardware, software y firmware es cada vez más extendido. Por ello CCN, desarrolló en su Guía de Seguridad de las TIC CCN-STIC 2002 un Módulo de Evaluación Criptográfico (MEC) que se aplica a diferentes soluciones que implementan algoritmos criptográficos. Este módulo sirve de referencia en numerosas evaluaciones bajo la metodología LINCE en las que se aplica de forma adicional. Debido al aumento cada vez mayor de requisitos criptográficos, CCN ha desarrollado, con el soporte de jtsec, una metodología que incluye pruebas de conformidad, búsqueda de errores comunes en las implementaciones y requisitos de implementación de las primitivas criptográficas. El objetivo de la metodología criptográfica es el de establecer un marco común para llevar a cabo las evaluaciones criptográficas de los TOEs que van a ser evaluados para la obtención de un certificado Common Criteria, LINCE con validación criptográfica o STIC con validación Criptográfica. En esta charla se presentará la nueva aproximación para evaluar la criptografía en España según la metodología creada conjuntamente por CCN y jtsec. Además, mostraremos la herramienta creada para verificar la conformidad de las primitivas criptográficas. Esta ponencia será especialmente útil para los desarrolladores de productos que conocerán los requisitos que se pedirán a partir de ahora.

Evolucionado la evaluación Criptográfica

Javier Tallón

El desarrollo de productos creados directamente en la nube (cloud nativo) es una práctica cada vez más extendida en la industria. La administración española no escapa a esa tendencia y es cada vez más habitual las migraciones a la nube. El despliegue y gestionado se realiza en la nube y normalmente son desarrollos en constante evolución, permitiendo a los fabricantes más flexibilidad para la continua mejora de sus productos. Ante el continuo incremento de productos desarrollados en la nube, en febrero de 2020, el CCN publicaba el Anexo G de la “Guía de Seguridad de las TIC CCN-STIC 140” para la Taxonomía de productos de STIC - Servicios en la nube, donde se reflejan los Requisitos Fundamentales de Seguridad (RFS) para este tipo de servicios, considerándose requisitos adicionales que complementan a los requisitos definidos para cada una de las familias de productos. Una guía pionera a nivel internacional para la evaluación de servicios cloud, por lo que cabe destacar que España es el primer país en crear una metodología de evaluación para este tipo de servicios. Normalmente las evaluaciones en la nube, se centran en la gestión e infraestructura del servicio/producto dejando de lado la funcionalidad de seguridad implementada por el mismo. En las evaluaciones de ciberseguridad, existe la particularidad de que estos servicios/productos no pueden ser completamente controlados/instalados en el laboratorio a la hora de realizar la evaluación, por lo que no se puede certificar usando las metodologías LINCE o Common Criteria. Este problema existe a nivel internacional. Para solventar esta casuística, CCN diseño una estrategia de evaluación de servicios en la nube mediante evaluaciones STIC complementarias haciendo uso de la metodología LINCE. Esta vía ha permitido la cualificación en el catálogo CPSTIC / CCN-STIC 105 de servicios en la nube. A día de hoy, hay 6 servicios en la nube incluidos en el catálogo CPSTIC. Todos ellos han sido evaluados por jtsec. En jtsec nos hemos tenido que adaptar tecnológicamente para afrontar este tipo de evaluaciones, puesto que alrededor del 70% de evaluaciones iniciadas en 2022 por jtsec corresponden a servicios en la nube. La charla describirá las particularidades de las evaluaciones en la nube tanto a nivel técnico como en el proceso. Además, pondrá de relieve los esfuerzos realizados a nivel nacional para que se puedan evaluar este tipo de soluciones.

España y CCN como referentes en la evaluación de ciberseguridad de soluciones...

Javier Tallón

Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community. At ISO level, a new standard has been approved aiming to support this goal: ISO 19896. ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations. The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk. Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.

EUCA 22 - Let's harmonize labs competence ISO 19896

Javier Tallón

As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).

EUCA22 Panel Discussion: Differences between lightweight certification schemes

Javier Tallón

Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE‚Äôs patching functionality and the developer‚Äôs patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.

EUCA22 - Patch Management ISO_IEC 15408 & 18045

Javier Tallón

The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products. For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it‚Äôs supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable. This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc‚) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission). The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)

Cross standard and scheme composition - A needed cornerstone for the European...

Javier Tallón

Incluir productos y servicios en el catálogo de ciberseguridad de referencia para la Administración Pública no resulta sencillo. Se ha de superar una evaluación LINCE o Common Criteria para poder acceder a dicho catálogo. En el catálogo CPSTIC se pueden incluir tanto para soluciones on premise como en la nube, siendo una gran ventaja para aquellos desarrolladores cloud native. En esta presentación explicamos las diferentes maneras de incluir una solución en el catálogo CPSTIC, así como los pasos a seguir.

¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?

Javier Tallón

CCCAB (Common Criteria Conformity Assessment Body) Tool is a unique framework that will allow Common Criteria CABs to smooth the certification process for ICT products, reducing the cost and time required in each single certification process. CCCAB will be developed to support NCCAs (National Cybersecurity Certification Authorities) when acting as CABs for level high and CABs (Conformity Assessment Bodies) for level substantial operating under the EUCC (Common Criteria based European candidate cybersecurity certification scheme) scheme. CCCAB has been selected by the European Commission under the Connecting Europe Facility (CEF) programme as a granted project. Two European NCCAs are also supporting CCCAB: CCN (Spain) and OCSI (Italy), reflecting the magnitude of the project. CCCAB will be released as an open source product and will be free to use allowing the community to improve the tool in the future. This tool was presented at last ICCC. In this year presentation, we will be able to show the specifications that have been defined to interact with the tool. We will be able to present the current status of the development showing the first operational version of CCCAB. Finally, we will discuss the challenges to make the tool accessible widely.

CCCAB tool - Making CABs life easy - Chapter 2

Javier Tallón

CC Scraper is a tool developed by jtsec 5 years ago that that analyses automatically the information from the CC and CBs portals using OCR capabilities and other features. Including detailed insights about Common Criteria like certification per assurance level, trends by Protection Profile, ranking of manufacturer, among others. We have published free annually reports regarding. In last year’s edition, we presented the statistics for 2021, the year with the most Common Criteria certifications in history. Would you like to know the data of the first three quarters of 2022? Will this year beat last year’s record number of certifications? Which labs and vendors will be in the top? This presentation will show Common Criteria’s data in a year that has taken place against a context of global uncertainty and instability.

2022 CC Statistics report: will this year beat last year's record number of c...

Javier Tallón

Artículo publicado en la edición nº 148 de la Revista SIC, donde presentamos la herramientas que estamos desarrollando, pionera en el mercado. CCCAB es un proyecto financiado por la Comisión Europea en el marco del programa Connecting Europe Faciclity (CEF), que permite ahorrar tiempo y esfuerzo a los CABs (Certification Assessments Bodies), aligerando su carga de trabajo para optimizar la fase de certificación.

CCCAB, la apuesta europea por la automatización de los Organismos de Certific...

Javier Tallón

Automating Common Criteria

Javier Tallón

Plus de Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II

Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...

ICCC2023 Statistics Report, has Common Criteria reached its peak?

ICCC23 -The new cryptographic evaluation methodology created by CCN

Experiences evaluating cloud services and products

TAICS - Cybersecurity Certification for European Market.pptx

La ventaja de implementar una solución de ciberseguridad certificada por el C...

EUCA23 - Evolution of cryptographic evaluation in Europe.pdf

Hacking your jeta.pdf

Evolucionado la evaluación Criptográfica

España y CCN como referentes en la evaluación de ciberseguridad de soluciones...

EUCA 22 - Let's harmonize labs competence ISO 19896

EUCA22 Panel Discussion: Differences between lightweight certification schemes

EUCA22 - Patch Management ISO_IEC 15408 & 18045

Cross standard and scheme composition - A needed cornerstone for the European...

¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?

CCCAB tool - Making CABs life easy - Chapter 2

2022 CC Statistics report: will this year beat last year's record number of c...

CCCAB, la apuesta europea por la automatización de los Organismos de Certific...

Automating Common Criteria

Dernier

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

DBX First Quarter 2024 Investor Presentation

Dropbox

Exploring Multimodal Embeddings with Milvus

Zilliz

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Dernier (20)

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Vector Search -An Introduction in Oracle Database 23ai.pptx

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Understanding the FAA Part 107 License ..

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Six Myths about Ontologies: The Basics of Formal Ontology

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

WSO2's API Vision: Unifying Control, Empowering Developers

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Strategies for Landing an Oracle DBA Job as a Fresher

DBX First Quarter 2024 Investor Presentation

Exploring Multimodal Embeddings with Milvus

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Is Automation Necessary for the CC Survival?

1. ❑ José Ruiz ❑ Co-Director at jtsec Beyond IT Security ❑ Kevin Gallicchio Technical Leader, NIAP MODERATOR PANELISTS ❑ Lachlan Turner Director Consulting, Lightship Security ❑ Alexander Krumeich Head of Certification/Senior Software Developer, CGM ❑ Pascal Van Gimst Vice President Global Services Sales and Business Development, Riscure

4. ❑ Alexander Krumeich • Job Software Developer, Certification Specialist • Company CompuGroup Medical Deutschland • CC EAL 3+ for KoCoBox MED+ since 2015 • Background Java, Unix, LaTeX, DevOps • Automation Project Developing n-doc CGM Deutschland AG, Cologne, Germany

5. In development since 2017 Deployed in customer and in- house projects Published in 2020 as Open Source Software under MIT license. High-Quality, hyperlinked PDF Documents Adaptable to different certification schemes

6. n-docKey features TOE model in a relational database as typesetting tool Best practices of software engineering

7. Continuous Delivery of Documents Authors/Editors • edit document sources • use tools in Docker container git (GitLab) • provides version control • enables collaboration Jenkins • runs LaTeX • creates PDF • generates static web site for Intranet nextCloud • Document Handover to Lab Automation

8. => CC can learn a lot from software engineering: Automation comes natural to software engineers Pain Points (developer Perspective) => Automation not only saves time but ensures reliability: fewer manual, error-prone tasks Insufficient/Incompatible tooling mandated by enterprise policies and ALC • ALC restrictions prevent using cloud-based tools such as bug trackers • Office documents are sent by email, all processing is manual • Developers/Labs/CABs rely on decades-old, outdated Office templates • Software Developers are not necessarily familiar with Office tools

10. The Challenge – Part 1

11. QUESTIONS?

Is Automation Necessary for the CC Survival?

Recommandé

Recommandé

Contenu connexe

Similaire à Is Automation Necessary for the CC Survival?

Similaire à Is Automation Necessary for the CC Survival? (20)

Plus de Javier Tallón

Plus de Javier Tallón (20)

Dernier

Dernier (20)

Is Automation Necessary for the CC Survival?