Update 2020-Aug-20: There appears to be a discussion within the OpenSSL project on the semantics of checking the OpenSSL flag we describe below. We are working to clarify this. NIAP (the US Common Criteria Scheme) recently published a series of …
Multi-CA Capable OCSP Responder in OpenSSL
At Lightship, we use a lot of open-source tools to perform our testing. Because of the nature of the tests we perform, we often find that these tools can be a bit too rigid. One specific example is that of …
Improving Product Security Through Protection Profiles
It’s surprising to think that new-style Common Criteria Protection Profiles have been around in some way shape, or form, since late 2010, when the first Network Devices Protection Profile (NDPP) v1.0 was released by the Information Assurance Directorate (IAD) for …
What’s New in NDcPP v2.2?
The Network Device international Technical Community recently (in December 2019) published version 2.2 of the collaborative Protection Profile for Network Devices – aka – NDcPP. The NDcPP is the most often used Common Criteria Protection Profile to achieve listing on …
NIAP Requests for a Mitigation Plan
Vendors with products on NIAP’s Common Criteria Product Compliant List (PCL) may from time-to-time receive a request from NIAP for a mitigation plan addressing a given widespread vulnerability (e.g. Meltdown, Spectre etc.). This is in keeping with NIAP Policy 17 …
Canada Open for EAL4
The Canadian Centre for Cyber Security recently released its updated Common Criteria (CC) Program Instructions which state that they will consider accepting EAL3 and EAL4 evaluations on a case by case basis. Evaluations were previously restricted to those claiming an …
Game of Certifications: A Song of Common Criteria Requirements
If you’ve ever spent any amount of time delving into the world of Common Criteria (CC), you’ve no doubt come across the veritable Roman/biblical hierarchy of relationships between the various components. At times, it would make even Cersei Lannister blush. …
Understanding the Scope of NDcPP Evaluations
When first exposed to the Network Device collaborative Protection Profile (NDcPP), vendors are often surprised by the extremely narrow scope. It is critical to realize that the Protection Profile (PP) refers to an abstract “network device” with required functionality that …
Challenges in Fuzzing RFC 1149
Conan Hoye and Greg McLearn contributed to this article. At Lightship, we test a lot of NDcPP-compliant products. As part of those evaluations, we are required, as per Appendix A in the Supporting Document, to perform network fuzzing against the …
NDcPP v2.1 endorsed by NIAP but which TDs apply?
[March 14, 2019 update] The NIAP list of TDs is now up to date with NDcPP v2.1 attribution. NIAP announced their endorsement today of version 2.1 of the Network Device collaborative Protection Profile. We’ve previously described the changes in NDcPP v2.1. …