Common Criteria vs Vendor Marketing

We are aware of the liberal license used by vendor marketing departments. The latest and greatest shiny object, with the most up to date security or LEDs.

Unfortunately this seems to have extended recently into the area of product certification. This is often blended with not being as expansive with the descriptions as possible. For example if a product was EAL4 certified it is easy for the marketing department to overlook the fact that only some of the specific models within a range of appliances are actually EAL4.

The next issue is not clearly identifying the functions that are certified for an appliance of solution. For example certification for IPSEC VPN but not the firewall functionality.

It is very important to review the ToE for all certification and testing to ensure that what you wish to buy is suitable to meet your business requirements. This must be followed up by actually implementing the device in the correct manner, otherwise you can increase the risks to your business.

If you are preparing to procure solutions ensure that you check the certification web sites to cross reference the vendors web sites.



CESG in the UK provide additional resources in this area which should also be used if the solution is to be utilised with HMG.


~ by Simon Hancock on November 24, 2008.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: