Smart Application of CC: CC can Actually be Efficient, Lean and Useful! (R21c)
What if I told you that you can have a full CC evaluation, without needlessly redoing boring paperwork tracing over and over again, within short and predictable timeframes, and still have the full benefit of the evaluator focussing on showing there are no exploitable vulnerabilities?
Over the years we’ve been honed smarter and smarter ways to apply the CC. We are now at a point that we have an approach that is fully compatible with both the CC letter and intent, and practical, useful and efficient. This approach is in use in specialised smartcard domains already, and quickly being applied on a wide range of other domains. This presentation goes into how and why this approach works.
Of course this approach does not come totally for free. It requires:
1) competency for all parties, and the willingness to (re-)use work of other competent parties,
2) use of an industry standard security problem definition and requirements that matches the shared reality of such devices (i.e. a sane PP describing industry practice),
3) use of only standard interfaces implementing those requirements, and ideally industry standard testing covering that,
4) leveraging that industry’s standard processes and assurances on that,
5) and acceptance of stakeholders that this isn’t the mythical perfect ideal we are aiming for, but is the perfectly fine practice.
So leave entrenched views at the door for this presentation, and hear how to look at CC smartly…