We took a strategic decision early on at Lightship Security to focus our initial Greenlight development efforts on automating the tests specified by the Network Device collaborative Protection Profile (NDcPP). There are two main reasons for this:
- It is the most widely used Common Criteria Protection Profile in North America (given its generic applicability)
- It is the forerunner for most NIAP Approved Protection Profiles which re-use a large portion of the NDcPP Security Functional Requirements (SFRs)
Now, we have automated the testing not only for NDcPP but also several other Protection Profiles by virtue of this SFR re-use. Below we present an analysis of the re-use of NDcPP requirements across NIAP Approved Protection Profiles (all but a few).
The primary areas of re-use (shown in green and blue) are:
- Secure communications and related protocol testing – IPsec, SSH, TLS
- X.509 certificate validation testing
- Audit requirements related to the above protocols and X.509
- Entropy – the much loved Entropy Description
- Cryptography – satisfied by Cryptographic Algorithm Validation Program (CAVP)
- Management functions – login, RBAC, banners, self-tests and trusted update
The first three bullet points alone (protocols, X.509 and audit) represent approximately 60 – 80% of the testing effort for an NDcPP evaluation. Through automation, we’ve been able to drastically reduce the effort required not only for NDcPP, but for many NIAP Protection Profiles:
- collaborative Protection Profile for Stateful Traffic Filter Firewalls (CPP_FW_V2.0E)
- Protection Profile for General Purpose Operating Systems (PP_OS_V4.2)
- Protection Profile for Application Software (PP_APP_v1.2)
- Protection Profile for Hardcopy Devices (PP_HCD_V1.0)
- Protection Profile for Certification Authorities (PP_CA_V2.1)
- Protection Profile for Mobile Device Management (PP_MDM_V3.0)
- Protection Profile for Enterprise Security Management – Identity and Credential Management (PP_ESM_ICM_V2.1)
- Protection Profile for Enterprise Security Management – Policy Management (PP_ESM_PM_V2.1)
- Protection Profile for Enterprise Security Management-Access Control (PP_ESM_AC_V2.1)
- Protection Profile for Virtualization (PP_BASE_VIRTUALIZATION_V1.0)
Based on our research, the NDcPP really is the mother of all Protection Profiles!
Lachlan has 15+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. Lachlan leads our consulting team to assist vendors to get through the certification process efficiently.