SlideShare una empresa de Scribd logo
1 de 26
Descargar para leer sin conexión
Patch Management
for
ISO/IEC 15408 / Common Criteria
Javier Tallón, jtsec
Sebastian Fritsch, secuvera
2022 International Conference on the EU Cybersecurity Act 25.05.2022
• Overview
– Patch problem description
– ISO/IEC TS 9569: Towards Creating an Extension for Patch
Management for ISO/IEC 15408 and ISO/IEC 18045
• Concept
• Practical considerations
– Implications of Patch Management in the EUCC Scheme
• Patch levels
• EUCC Next steps
– Conclusions
Patch problem description
• Patch problem description
• Risk owner requirements
• demand for certificate of product (TOE): assurance
• but also for state-of-the-art security
• security issue handling during product lifecycle
• delivery of security updates
• maintenance/support processes
• Patch problem description
• As consequence risk owner often…
• …has to accept known vulnerabilities
• … can install patched but non-certified TOE updates
• Patch problem description
• Problems of patch re-certification
• costs and time for patch re-certification
• only done if mandatory required by regulation
• Product time to market
• Continuous delivery
• Vulnerabilities are made public and patched everyday
• But re-certification of patches is slow
• Security vs. Certification  really ?
• Patch problem description
• Chances of this proposal
• risk owner’s requirements will be addressed
• regulatory body can request risk owners to install updates to
remove existing vulnerabilities
• modernized our CC toolbox
• offer fast-track process
• use assurance from patch management process evaluation
• …
• real chance to mandate re-certification (in regulation or contracts)
ISO Project
ISO/IEC TS 9569:
Towards Creating an Extension for Patch Management
for ISO/IEC 15408 and ISO/IEC 18045
• History and future
• Patch Management is hot topic in ISO SC 27/WG 3
• Multiple study periods
• Project was upgraded from TR to TS
• (new) CC Roadmap discussions already refer to
Patch Management Project
 a lot of support
• Concept
A. One static + one flexible building blocks
1. ALC_PAM
– evaluate Patch Management Process as part of the standard
evaluation (certification)
– ready for augmentation
2. Patch/Update functionality in TOE scope
– technical security capabilities for applying patches
– Package for Patch Management: SPD, objectives and set of SFRs
» attached as Annex
» written as example
– finally defined in the ST or PP
B. Options for Certification Bodies
• New family ALC_PAM
• ALC_PAM.1 Patch Management Processes
– key elements:
• security relevance report (SRR)
– Developer’s self-assessment of security relevance of a planned patch
• Patch Management Processes (PAM Processes)
– require Patch Management Documentation (PMD), i.e. policies,
processes, procedures and tools related to the patching of the TOE
» mandatory procedures during patch release
» polices when to re-certify/re-evaluate the TOE
» end-of-support consideration of TOE
» assessment and confirmation of the application of policies on a regular
basis
• Options for Certification Bodies for cherry picking
– Fast-Track Re-Certification
– Different types of updates and related re-certification possibilities
– Support re-use of evaluation results
– Same-evaluator requirement
– Re-Evaluation (without Certification)
– Provide templates to support the analyse impact of changes of a patch
– Trust by default developers in order to harmonize security and certification
– Put penalties if developers do not follow the published rules
– Mandate root cause analysis
• How to apply: practical considerations
Guide for ST/PP authors:
– add Extended Component Definition (ALC_PAM.1) to ST/PP
– add Evaluator Work Unit to ST (or link referenced document)
• both defined in ISO document
– write Security Problem Definition (SPD), Objectives (for
Patches) and SFRs
• example is given in ISO document
– watch out for ST/PP examples which include ALC_PAM.1 in the
future
• first certificate including
ALC_PAM.1
• genua: genugate 10.0 Z
The TOE genugate 10.0 Z is a
combination of an application level
gateway (ALG) and a packet filter
(PFL), which are implemented on two
different systems. It is part of a larger
product. The firewall genugate 10.0 Z
consists of hardware and software. The
TOE is part of the shipped software.
The operating system is a modified
OpenBSD.
Sebastian Fritsch, secuvera | 19.10.2021 | Page 14
Source: BSI Website
• How to apply: practical considerations
– Strong recommendation: Review existing PAM Processes
• Check maturity of PAM Processes
• e.g. Gap-Analysis
• might help if Security Development Lifecycle (SDL) is already
implemented
– consider ALC_PAM.1 requirements
• see Guidance in ISO Document ( Annex)
Implications of Patch Management
in the EUCC Scheme
• Implications of Patch Management in the EUCC Scheme
• Cyber Security Act:
– (40) ENISA should contribute to raising the public’s awareness […] and to
promote basic multi-factor authentication, patching, encryption, anonymisation
and data protection advice.
– (93) European cybersecurity certificates and EU statements of conformity should
help end users to make informed choices. […] namely for how long the end
user can expect to receive cybersecurity updates or patches […]
– Article 54.1 A European cybersecurity certification scheme shall include at least
the following elements: […]
• (m) rules concerning how previously undetected cybersecurity
vulnerabilities in ICT products, ICT services and ICT processes are to be
reported and dealt with; […]
• Implications of Patch
Management in the EUCC
Scheme
– One year since the publication of
EUCC v1.1.1
– Chapter 14. Rules related to
handling vulnerabilities implements
the rules concerning how previously
undetected cybersecurity
vulnerabilities in ICT products are to be
reported and dealt with (Art 54.1m)
and provides the hook for patch
management.
• Patch levels
– The CB shall include in the certification
report the applied Patch management
mechanism and a clear delineation of the
TOE scope (specially when it is part of a
bigger product)
– L1: Just notify CAB-CB and proceed to deploy. CAB may apply maintenance /
release a maintenance report.
– L2: Evaluate and then deploy. CAB shall update the version of the certificate.
– L3: Fallback to assurance continuity for major changes.
– CUF: Notify the CAB, then deploy, then evaluate. CAB shall update the
version of the certificate.
• Patch levels
– Level 2
– A time limit for evaluation may be agreed
• Would require a contract with the ITSEF
– It is possible to avoid testing based on the evidence provided (e.g. source
code)
– May not require approval to start from the CB
– Bug fixes shall be considered typical minor changes
• Patch levels
– Critical Update Flow
– Will not require approval to start from the CB but the ITSEF and
the CB shall be informed of the changes within five business
days.
– ITSEF shall have a priority queue
• Would require a contract with the ITSEF
– Will require validation from the CB
• Critical update flow triage
– The following questions shall be answered
• Is the product used within critical infrastructure?
• Are there applicable liability issues?
• Is safety at risk?
• Is a working exploit available or even not needed?
• Can the vulnerability be used to develop further attacks?
• Practical application
– When a vulnerability is verified and the patch
management was included in the initial
evaluation the following steps will be done:
• 1. Developer notifies the CAB and sends
IAR
• 2. Developer triages the severity of the
vulnerability to determine if the Critical
Update Flow is applicable.
• 3. Developer determines the applicable
patch level based on the affected evidence
(major/minor)
• 4. The following steps are done in different
order depending on the level
– Deploy the patch
– Evaluate the patched TOE
or classical assurance continuity (PL2)
• 5. A maintenance report is emitted and
certificate is updated
• EUCC Next Steps
– We gained experience through the experiment conducted by Secuvera
and BSI
– Experience for other approaches may be needed (ISCI approach)
– Further refinement under EUCC for the patch management chapter
may be needed, including:
• Harmonized interpretation of Major/Minor changes for vulnerabilities
• Consider applying more widely the asynchronous approach. To which extent
shall we require ITSEF/CB involvement?
• Detail the triage process
• Tuning with other aspects like vulnerability handling and monitoring?
• There is some potential overlap/contradictions with assurance continuity and
with Chapter 12
• Impact on EUCC ENISA website (certificate list)?
• Conclusions
– ISO project status
• next draft for distribution in ISO 1st of July
– next ballot: DTS (Draft Technical Specification)
– ask your ISO liasion organisation for the document, like CCUF
• official project target: 2023-04-25
– On the EUCC Patch Management approach
• Accepted for trial use opening the door to asynochronus evaluation
alternatives
• Further refinement is still needed
Thank you!
Vielen Dank!
¡Muchas Gracias! Sebastian Fritsch
sfritsch@secuvera.de
+49-7032/9758-24
secuvera GmbH
Siedlerstraße 22-24
71126 Gäufelden/Stuttgart
Germany
Javier Tallón
jtallon@jtsec.es
+34-858981999
jtsec Beyond IT Security
Avenida de la Constitución 20, 208
18012 Granada
Spain

Más contenido relacionado

Similar a Patch Management for ISO/IEC 15408 Common Criteria

Vish- Validation Master Plan
Vish- Validation Master PlanVish- Validation Master Plan
Vish- Validation Master PlanVishal Parikh
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013   2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013   2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Verhaert Masters in Innovation
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSFilippo Ferri
 
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocessAktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocessInboundLabs (ex mon.ki inc)
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdfharis348605
 
19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptxTran Duc Dai
 
Controlling interests editors
Controlling interests editorsControlling interests editors
Controlling interests editorseldhoev
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202  adm m3 ssmNcerc rlmca202  adm m3 ssm
Ncerc rlmca202 adm m3 ssmssmarar
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptYoussefElsamman
 
Unit 8 final
Unit 8 finalUnit 8 final
Unit 8 finalsietkcse
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortVeeva Systems
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B InterchangePerficient
 
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...Gaurav Singh Rajput
 
unit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxunit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxPriyaFulpagare1
 
L9 quality assurance and documentation
L9 quality assurance and documentationL9 quality assurance and documentation
L9 quality assurance and documentationOMWOMA JACKSON
 

Similar a Patch Management for ISO/IEC 15408 Common Criteria (20)

Vish- Validation Master Plan
Vish- Validation Master PlanVish- Validation Master Plan
Vish- Validation Master Plan
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013   2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013   2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
 
SWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESSSWEDEN ONLINE - CERTIFICATION PROCESS
SWEDEN ONLINE - CERTIFICATION PROCESS
 
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocessAktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
Aktuelle BPM-Erfahrungen aus komplexen Branchen. Rainer Elvermann, cbprocess
 
Validation master plan
Validation master planValidation master plan
Validation master plan
 
commissioning.pdf
commissioning.pdfcommissioning.pdf
commissioning.pdf
 
19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx19c SCP Upgrade Proposal Final.pptx
19c SCP Upgrade Proposal Final.pptx
 
Controlling interests editors
Controlling interests editorsControlling interests editors
Controlling interests editors
 
Ncerc rlmca202 adm m3 ssm
Ncerc rlmca202  adm m3 ssmNcerc rlmca202  adm m3 ssm
Ncerc rlmca202 adm m3 ssm
 
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.pptcupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
cupdf.com_1-developing-safety-critical-systems-chapter-5-storey.ppt
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
 
Unit 8 final
Unit 8 finalUnit 8 final
Unit 8 final
 
CMMC briefing
CMMC briefingCMMC briefing
CMMC briefing
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effort
 
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
2013 OHSUG - Integration of Argus and Other Products Using the E2B Interchange
 
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
 
unit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxunit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptx
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
 
Text-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docxText-DISA_Review_Questions.docx
Text-DISA_Review_Questions.docx
 
L9 quality assurance and documentation
L9 quality assurance and documentationL9 quality assurance and documentation
L9 quality assurance and documentation
 

Más de Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaJavier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria Javier Tallón
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easyJavier Tallón
 

Más de Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
 

Último

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

Último (20)

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 

Patch Management for ISO/IEC 15408 Common Criteria

  • 1. Patch Management for ISO/IEC 15408 / Common Criteria Javier Tallón, jtsec Sebastian Fritsch, secuvera 2022 International Conference on the EU Cybersecurity Act 25.05.2022
  • 2. • Overview – Patch problem description – ISO/IEC TS 9569: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045 • Concept • Practical considerations – Implications of Patch Management in the EUCC Scheme • Patch levels • EUCC Next steps – Conclusions
  • 4. • Patch problem description • Risk owner requirements • demand for certificate of product (TOE): assurance • but also for state-of-the-art security • security issue handling during product lifecycle • delivery of security updates • maintenance/support processes
  • 5. • Patch problem description • As consequence risk owner often… • …has to accept known vulnerabilities • … can install patched but non-certified TOE updates
  • 6. • Patch problem description • Problems of patch re-certification • costs and time for patch re-certification • only done if mandatory required by regulation • Product time to market • Continuous delivery • Vulnerabilities are made public and patched everyday • But re-certification of patches is slow • Security vs. Certification  really ?
  • 7. • Patch problem description • Chances of this proposal • risk owner’s requirements will be addressed • regulatory body can request risk owners to install updates to remove existing vulnerabilities • modernized our CC toolbox • offer fast-track process • use assurance from patch management process evaluation • … • real chance to mandate re-certification (in regulation or contracts)
  • 8. ISO Project ISO/IEC TS 9569: Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045
  • 9. • History and future • Patch Management is hot topic in ISO SC 27/WG 3 • Multiple study periods • Project was upgraded from TR to TS • (new) CC Roadmap discussions already refer to Patch Management Project  a lot of support
  • 10. • Concept A. One static + one flexible building blocks 1. ALC_PAM – evaluate Patch Management Process as part of the standard evaluation (certification) – ready for augmentation 2. Patch/Update functionality in TOE scope – technical security capabilities for applying patches – Package for Patch Management: SPD, objectives and set of SFRs » attached as Annex » written as example – finally defined in the ST or PP B. Options for Certification Bodies
  • 11. • New family ALC_PAM • ALC_PAM.1 Patch Management Processes – key elements: • security relevance report (SRR) – Developer’s self-assessment of security relevance of a planned patch • Patch Management Processes (PAM Processes) – require Patch Management Documentation (PMD), i.e. policies, processes, procedures and tools related to the patching of the TOE » mandatory procedures during patch release » polices when to re-certify/re-evaluate the TOE » end-of-support consideration of TOE » assessment and confirmation of the application of policies on a regular basis
  • 12. • Options for Certification Bodies for cherry picking – Fast-Track Re-Certification – Different types of updates and related re-certification possibilities – Support re-use of evaluation results – Same-evaluator requirement – Re-Evaluation (without Certification) – Provide templates to support the analyse impact of changes of a patch – Trust by default developers in order to harmonize security and certification – Put penalties if developers do not follow the published rules – Mandate root cause analysis
  • 13. • How to apply: practical considerations Guide for ST/PP authors: – add Extended Component Definition (ALC_PAM.1) to ST/PP – add Evaluator Work Unit to ST (or link referenced document) • both defined in ISO document – write Security Problem Definition (SPD), Objectives (for Patches) and SFRs • example is given in ISO document – watch out for ST/PP examples which include ALC_PAM.1 in the future
  • 14. • first certificate including ALC_PAM.1 • genua: genugate 10.0 Z The TOE genugate 10.0 Z is a combination of an application level gateway (ALG) and a packet filter (PFL), which are implemented on two different systems. It is part of a larger product. The firewall genugate 10.0 Z consists of hardware and software. The TOE is part of the shipped software. The operating system is a modified OpenBSD. Sebastian Fritsch, secuvera | 19.10.2021 | Page 14 Source: BSI Website
  • 15. • How to apply: practical considerations – Strong recommendation: Review existing PAM Processes • Check maturity of PAM Processes • e.g. Gap-Analysis • might help if Security Development Lifecycle (SDL) is already implemented – consider ALC_PAM.1 requirements • see Guidance in ISO Document ( Annex)
  • 16. Implications of Patch Management in the EUCC Scheme
  • 17. • Implications of Patch Management in the EUCC Scheme • Cyber Security Act: – (40) ENISA should contribute to raising the public’s awareness […] and to promote basic multi-factor authentication, patching, encryption, anonymisation and data protection advice. – (93) European cybersecurity certificates and EU statements of conformity should help end users to make informed choices. […] namely for how long the end user can expect to receive cybersecurity updates or patches […] – Article 54.1 A European cybersecurity certification scheme shall include at least the following elements: […] • (m) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with; […]
  • 18. • Implications of Patch Management in the EUCC Scheme – One year since the publication of EUCC v1.1.1 – Chapter 14. Rules related to handling vulnerabilities implements the rules concerning how previously undetected cybersecurity vulnerabilities in ICT products are to be reported and dealt with (Art 54.1m) and provides the hook for patch management.
  • 19. • Patch levels – The CB shall include in the certification report the applied Patch management mechanism and a clear delineation of the TOE scope (specially when it is part of a bigger product) – L1: Just notify CAB-CB and proceed to deploy. CAB may apply maintenance / release a maintenance report. – L2: Evaluate and then deploy. CAB shall update the version of the certificate. – L3: Fallback to assurance continuity for major changes. – CUF: Notify the CAB, then deploy, then evaluate. CAB shall update the version of the certificate.
  • 20. • Patch levels – Level 2 – A time limit for evaluation may be agreed • Would require a contract with the ITSEF – It is possible to avoid testing based on the evidence provided (e.g. source code) – May not require approval to start from the CB – Bug fixes shall be considered typical minor changes
  • 21. • Patch levels – Critical Update Flow – Will not require approval to start from the CB but the ITSEF and the CB shall be informed of the changes within five business days. – ITSEF shall have a priority queue • Would require a contract with the ITSEF – Will require validation from the CB
  • 22. • Critical update flow triage – The following questions shall be answered • Is the product used within critical infrastructure? • Are there applicable liability issues? • Is safety at risk? • Is a working exploit available or even not needed? • Can the vulnerability be used to develop further attacks?
  • 23. • Practical application – When a vulnerability is verified and the patch management was included in the initial evaluation the following steps will be done: • 1. Developer notifies the CAB and sends IAR • 2. Developer triages the severity of the vulnerability to determine if the Critical Update Flow is applicable. • 3. Developer determines the applicable patch level based on the affected evidence (major/minor) • 4. The following steps are done in different order depending on the level – Deploy the patch – Evaluate the patched TOE or classical assurance continuity (PL2) • 5. A maintenance report is emitted and certificate is updated
  • 24. • EUCC Next Steps – We gained experience through the experiment conducted by Secuvera and BSI – Experience for other approaches may be needed (ISCI approach) – Further refinement under EUCC for the patch management chapter may be needed, including: • Harmonized interpretation of Major/Minor changes for vulnerabilities • Consider applying more widely the asynchronous approach. To which extent shall we require ITSEF/CB involvement? • Detail the triage process • Tuning with other aspects like vulnerability handling and monitoring? • There is some potential overlap/contradictions with assurance continuity and with Chapter 12 • Impact on EUCC ENISA website (certificate list)?
  • 25. • Conclusions – ISO project status • next draft for distribution in ISO 1st of July – next ballot: DTS (Draft Technical Specification) – ask your ISO liasion organisation for the document, like CCUF • official project target: 2023-04-25 – On the EUCC Patch Management approach • Accepted for trial use opening the door to asynochronus evaluation alternatives • Further refinement is still needed
  • 26. Thank you! Vielen Dank! ¡Muchas Gracias! Sebastian Fritsch sfritsch@secuvera.de +49-7032/9758-24 secuvera GmbH Siedlerstraße 22-24 71126 Gäufelden/Stuttgart Germany Javier Tallón jtallon@jtsec.es +34-858981999 jtsec Beyond IT Security Avenida de la Constitución 20, 208 18012 Granada Spain

Notas del editor

  1. 1a. The manufacturer or provider shall report within a business day to the certification body (CB) that issued the certificate the possibility of a related vulnerability and provide within five business days a date for when a vulnerability analysis will be established. 1b. When the information about a possibility of a vulnerability related to the certified ICT product is available first at the CB, the CB shall inform within a business day the manufacturer or provider and request a vulnerability analysis and a date for this analysis within five business days. 2. agree on a proposed date to have the impact of the vulnerability analysed, but this shall not exceed 90 days 3. If the developer is not responsive or does not meet the agreed date, certificate is suspended 4. During analysis, if the vulnerability is disproved, documentation kept for 5 years 5. If the vulnerability is verified, certificate is suspended and then 6. If the product was not certified including an accepted patch management process, we will fallback to the classical assurance continuity procedure with potentially new options for scope reduction 7. Otherwise, a whole new world of possibilities are opened.