Download PDFOpen PDF in browser

Incremental Common Criteria Certification Processes using DevSecOps Practices

EasyChair Preprint no. 6415

12 pagesDate: August 27, 2021

Abstract

The growing digitalisation of our economies and societies is driving the need for increased connectivity of critical applications and infrastructures to the point where failures can lead to important disruptions and consequences to our lives. One growing source of failures for critical applications and infrastructures originates from cybersecurity threats and vulnerabilities that can be exploited in attacks. One approach to mitigating these risks is verifying that critical applications and infrastructures are sufficiently protected by certification of products and services. However, reaching sufficient assurance levels for product certification may require detailed evaluation of product properties. An important challenge for product certification is dealing with product evolution: now that critical applications and infrastructures are connected they are being updated on a more frequent basis. To ensure continuity of certification, updates must be analysed to verify the impact on certified cybersecurity properties. Impacted properties need to be re-certified. This paper proposes a lightweight and flexible incremental certification process that can be integrated with DevSecOps practices to automate as much as possible evidence gathering and certification activities. The approach is illustrated on the Common Criteria product certification scheme and a firewall update on an automotive case study. Only the impact analysis phase of the incremental certification process is illustrated.

Keyphrases: Assurance continuity, certification, Certification Evidence, Certification Process, Common Criteria, Cybersecurity, Cybersecurity certification, devsecop cycle, DevSecOps, Incremental Certification, Security certification, Security Requirement

BibTeX entry
BibTeX does not have the right entry for preprints. This is a hack for producing the correct reference:
@Booklet{EasyChair:6415,
  author = {Sébastien Dupont and Guillaume Ginis and Mirko Malacario and Claudio Porretti and Nicolò Maunero and Christophe Ponsard and Philippe Massonet},
  title = {Incremental Common Criteria Certification Processes using DevSecOps Practices},
  howpublished = {EasyChair Preprint no. 6415},

  year = {EasyChair, 2021}}
Download PDFOpen PDF in browser