tags:

views:

50

answers:

1
+1  Q: 

Options to Common Criteria

There are some critics about the international Common Criteria like [Under-attack].[1]

What are in your opinion the pros and cons of developing IT products with CC?

A: 

I'm a Common Criteria evaluator for the BSI (Germany) and NIAPP (USA) schemes. I've had a small amount of experience, but I think I'm qualified enough to answer this question.

Pros:

  1. The first and foremost plus to developing with CC is to be able to do business with the US government. I die inside every time I say this to someone, because I'd really like the top reason to be security. But alas...
  2. Secondly, it enormously increases the quality of your design documentation because much of the CC revolves around analyzing documentation, and good docs are a requirement. Find a good lab, and they may do all of that for you.
  3. It will make you aware of security questions you never thought about, like how does the customer know the product I shipped to them is really from me and not someone impersonating me?
  4. Lastly, sadly, it will improve the technical security of the product. Get a good lab, and you will leave with a very strong secure product and a certification. Get a bad one and you'll just leave with a certification.

Cons:

  1. Extremely expensive. Unless you have the deep-enough coffers to absorb a hit of hundreds of thousands of dollars, you're not cut out for CC. However, if you have the intention of working with the federal government, you may get them to pay your way if they really like your product.
  2. Extremely time consuming. Our evaluations last 9-16 months, depending on the complexity of the product and the evaluation assurance level. To give you an idea, a general linux distribution at EAL 4 could take a full year to complete.
  3. The certificate only applies to an exact version number of your product. Make an update and the cert is invalid. (However, its up to the requisitioning officer in the DoD whether to accept the patched product, so not all hope is lost.
  4. It's value is almost worthless anywhere outside the federal market.
  5. Depending on the scheme you pick, you'll be facing certain kinds of politics, lack of resources, and extra requirements. Best thing to do is find a good lab who will help you through everything.

Note that I'm giving you pro's and con's from the developer's point of view. There are a different set of pro's and con's when talking about technically how the criteria is set up and what it's effectiveness is.

Jeremy Powell  2009-07-27 21:50:48

related questions

Database choice for large data volume?
Evaluating software estimates: sure signs of unrealistic figures?
SSIS Package fails on execute "Integration Services evaluation period has expired"
Evaluation of an IF statement in VB.NET
Expression Evaluation in C++
Why does 1+++2 = 3 in python?
Condition evaluation in loops ?
Having to set objectives for developers, even though objectives don't work
How to do a Software usability evaluation
is it possible to print all reductions in Haskell - using WinHugs?
Parameter evaluation order before a function calling in C
What usability evaluation methods do you use?
SSRS Expression Evaluation Issue
How do I detect circular logic or recursion in a custom expression evaluator?
Are you a good or bad programmer?
How will you evaluate a programmer in a company's annual evaluation?
Most Effective Way to Evaluate Talent
How Do You Evaluate Software Development Products and Technologies?
Whats the best way to create interactive application prototypes?
How do I choose a CMS/Portal solution for a small website(s)?
How do you evaluate a Software Architect?
How Can I Know Whether I Am a Good Programmer?
How to select an SQL database?
software: when to pay, when to use free?
How would you go about evaluating a programmer?