Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

← Back to Glossary

Glossary

Common Criteria

Introduction to Common Criteria#

The Common Criteria for Information Technology Security Evaluation (commonly referred to as Common Criteria or CC) is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Originating from the convergence of several individual efforts worldwide, including the US's TCSEC and Europe's ITSEC, Common Criteria has become a key benchmark for security assurance.

  • Origins: Evolved from earlier standards like TCSEC and ITSEC.
  • Purpose: To provide a unified standard for evaluating the security features and capabilities of IT products.
  • Adoption: Recognized by numerous countries around the world, making it easier for vendors to sell their products internationally.

The Essence of Protection Profiles#

Protection Profiles (PPs) play a pivotal role within Common Criteria. These are essentially standardized document templates that outline specific security requirements for a category of products or systems. By complying with a PP, vendors can ensure that their product meets industry or governmental security expectations for that specific category.

For instance, there might be a PP specifically for firewalls. Vendors producing firewall products would aim to meet or exceed the security requirements specified in that PP.

  • Standardization: Ensures consistent security benchmarks across similar products.
  • Flexibility: Vendors can choose which PP to align with based on their product's intended use.

Evaluation Assurance Levels#

One of the key features of Common Criteria is its tiered system of Evaluation Assurance Levels (EALs). Ranging from EAL1 (lowest assurance) to EAL7 (highest assurance), these levels offer increasing levels of confidence that the security functions of the evaluated product will be reliably executed.

It's important to note that a higher EAL doesn't necessarily mean "better security" in absolute terms, but rather it indicates a higher degree of assurance that the claimed security measures are implemented robustly and reliably.

  • EAL1: Functionally tested.
  • EAL7: Formally verified, designed, and tested.

The Relevance of Common Criteria Today#

With the ever-increasing cybersecurity threats and the expansion of software into every facet of our daily lives, the need for standardized security evaluations is more pressing than ever. Common Criteria provides an internationally recognized benchmark, which is crucial in our interconnected, global economy. Many governments mandate Common Criteria evaluation for their IT products, especially for high-security applications.

Moreover, for vendors, achieving a CC certification can open doors to markets that might otherwise remain closed. It offers a competitive edge by showcasing a commitment to security.

How Socket Aligns with Common Criteria#

At Socket, we recognize the importance of adhering to globally acknowledged standards like Common Criteria. While our primary goal is to detect and prevent supply chain attacks, we believe that aligning with broader security standards fortifies our commitment to provide robust and reliable software security solutions.

Socket's approach, especially with features like deep package inspection, complements the principles behind Common Criteria. By proactively scanning for threats and analyzing the behavior of open-source packages, Socket showcases a commitment to thorough security evaluation, a core tenet of Common Criteria.

Challenges with Common Criteria#

While Common Criteria has garnered widespread acceptance and recognition, it's not without its challenges. One of the most significant is the time and cost involved in obtaining a certification, especially at higher EALs. This can be prohibitive for smaller vendors.

Additionally, while the criteria are comprehensive, technology and threat landscapes evolve. Keeping the criteria up-to-date and relevant requires continuous effort. Lastly, there's the potential risk of vendors "teaching to the test"—designing products to pass the evaluation rather than genuinely prioritizing holistic security.

  • Time and Cost: Achieving certification can be resource-intensive.
  • Evolving Threat Landscape: The criteria need regular updates to stay relevant.
  • Potential for Misaligned Priorities: The focus might shift to passing the test over genuine security.

The Future of Common Criteria and Software Security#

As technology continues its relentless advancement, the Common Criteria will need to adapt to address emerging challenges and threats. The rise of AI, IoT devices, and more interconnected systems will require an evolved set of criteria.

However, the core philosophy of Common Criteria—providing a standardized benchmark for security evaluation—will likely remain unchanged. Tools like Socket, with their proactive approach, exemplify the direction in which software security is moving: not just identifying known vulnerabilities, but actively preventing potential threats. The synergy between evolving standards and innovative tools will shape the future of software security.

In conclusion, while standards like Common Criteria play a crucial role in establishing baseline security benchmarks, the onus is on vendors and tools to push the boundaries and ensure the digital world remains secure.

Table of Contents

Introduction to Common Criteria

The Essence of Protection Profiles

Evaluation Assurance Levels

The Relevance of Common Criteria Today

How Socket Aligns with Common Criteria

Challenges with Common Criteria

The Future of Common Criteria and Software Security

SocketSocket SOC 2 Logo

Product

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc