Improving Product Security Through Protection Profiles

Greg McLearn Certifications, Common Criteria

It’s surprising to think that new-style Common Criteria Protection Profiles have been around in some way shape, or form, since late 2010, when the first Network Devices Protection Profile (NDPP) v1.0 was released by the Information Assurance Directorate (IAD) for use in the National Information Assurance Partnership (NIAP). The NDPP v1.0 was unique and represented a dramatic shift in policy and function for Common Criteria evaluations.

In this post, we will examine the positive effects that new-style protection profiles have had in product security over the last (almost) 10 years.

Just before the NDPP v1.0 came on the scene, it was normal for a typical Common Criteria EAL2+ evaluation to be about 70% documentation analysis, only about 15-20% testing and “hands-on” review and the remaining reserved for vendor interviews about product lifecycle, flaw remediation and the like. Test plans typically consisted of a small number of unique test cases depending on the claims; vulnerability analysis consisted of a public survey and a basic port scan. As an evaluator, it was fun to be able to poke at the technology, but often testing was a bit of an after-thought. Minor vulnerabilities or functional issues could be removed from the scope by simply altering the security claims and providing supplementary administrative instructions.

Test activities and AVA_VAN (vulnerability analysis) activities were inconsistent between schemes, labs and even between different evaluators within the same lab. It depended largely on the philosophy of the schemes and the skillsets and experience of the individual evaluators. NIAP decided to unilaterally correct this through the introduction of a new-style of Protection Profile with fixed requirements and tailored assurance activities.

New-style protection profiles didn’t emerge overnight. There was a tremendous amount of friction in the beginning. However, NIAP persevered and we received the NDPP v1.0 on 10-Dec-2010.

The NDPP v1.0 was different, it was prescriptive and it was difficult for vendors to meet and for labs to test. I don’t believe any public products ever successfully met the NDPP v1.0. However, that changed with NDPP v1.1 and it paved the way forward to wider industry adoption.

I remember the first time my colleague and I were testing a vendor’s network device against the NDPP v1.1. We were performing one of the prescriptive management-style functional test cases and found a security-relevant implementation error. It was an actual security flaw and it was found using a prescribed test case. I remember my colleague saying “Maybe NIAP is onto something here!”

Ten years on and NIAP has over 40 Protection Profiles covering a wide variety of technology areas with more coming every quarter. The Network Device Protection Profile has now evolved into an international collaborative Protection Profile (the NDcPP) and accounts for more than 50% of all evaluations performed in North America.

Through prescriptive testing brought by the new-style PPs and a combination of automated and manual analysis, Lightship has helped improve the security of more than 50 unique products since 2016. As part of our unique Functional Gap Assessment (FGA) process, we’ve been able to detect and help vendors remediate real world functional concerns and vulnerabilities before formal evaluation.

The increased scrutiny on functional testing since the introduction of assurance-activity focused Protection Profiles has led to a higher degree of assurance to the end customers and has, in our opinion, increased the vendor’s overall product security posture.

NIAP, I think you were onto something.

Talk to us today to find out how Lightship can help improve your product’s security posture through pre-validation testing and analysis.