SlideShare una empresa de Scribd logo

ICCC2023 Statistics Report, has Common Criteria reached its peak?

Descargar como PPTX, PDF
Javier Tallón
Javier Tallón

As is customary in the last editions of ICCC, the statistics related to Common Criteria provide significant market data. This year, stable data is presented. Data collection is done using CC Scraper, a tool developed by jtsec that automatically analyzes information from the CC and CBs portals using OCR capabilities and other features. Would you like to know the data for the first three quarters of 2023 and the evolution in recent years in terms of the number of certifications? Other data will also be disclosed, such as top labs and vendors, most used assurance levels, or most used protection profiles. This presentation showcases Common Criteria’s data in a year when the market has stabilized after several years of political and health instability.

Software
1 de 29
 José Manuel Pulido:  Common Criteria expert and Lead Consultant in jtsec.  CCToolbox developer  Contributor to ENISA, Eurosmart and ISO projects and CEN/CENELEC.  More than 12 years of experience in cybersecurity technologies  Speaker at several conferences including CCUF20, ICCC20, ICCC21 and ICC22 About me  jtsec is part of the A+ group along with Lightship Security. We have labs in Canada, USA and Spain.  Cybersecurity evaluation & consultancy services  Common Criteria, LINCE and ETSI EN 303 645 accredited lab.  Developers of the most powerful tool for Common Criteria, CCToolbox.  Involved in standardization activities (ISO, CEN/CENELEC, ISCI WGs, ENISA CSA WGs, CCUF, CMUF, ERNCIP, …)  Members of the SCCG (Stakeholder Cybersecurity Certification Group) About us
Collecting CC statistics with CC Scraper CC Scraper gathers “fresh” data from ccportal and CB websites. Sometimes data is uploaded or changed a-posteriori, and previously collected statistics change
CC Scraper keeps facing challenges and evolving  We continuously maintain and improve CC scraper:  Many CB webpages frequently change their structure  Evaluation labs not listed. We have to parse and OCR reports.  Combining certificate lists is challenging.  We plan adopting new technologies to improve the process.  Results are close to accurate, but could have small variations
 With the statistics generated, we publish CC statistics reports in jtsec webpage, at least once per year. CC Scraper reports  https://www.jtsec.es/blog-entry/85/common-criteria- statistics-report-for-2020  https://www.jtsec.es/blog-entry/106/common-criteria- statistics-report-for-2021  https://www.jtsec.es/blog-entry/125/common-criteria- statistics-report-for-2022
Disclaimer: CC scraper was run on 29th of September 2023. The statistics are calculated with the data for the first 9 months of the year.
Number of CC certificates in 2023  310 products were CC certified during 2023 (data until 29/09/2023) 87 117 106 0 20 40 60 80 100 120 140 2023 Q3 2023 Q2 2023 Q1
Top certifier schemes in 2023 58 58 57 32 22 19 18 16 7 7 7 3 2 2 1 1 FR NL US DE CA JP SP SE IT KR SG TR AU IN MY NO
Percentage of certifications per scheme in 2023 FR 19% NL 19% US 19% DE 10% CA 7% JP 6% SP 6% SE 5% IT 2% KR 2% SG 2% TR 1% AU 1% IN 1%
Assurance levels used in 2023 EAL1 0.65% EAL2 10.65% EAL3 3.23% EAL4 23.87% EAL5 15.81% EAL6 9.03% EAL7 0.00% PP 36.77%
Product assurance level per country in 2023 (top 5) 6 0 12 27 13 0 3 2 25 16 11 1 0 0 0 0 0 57 1 6 17 3 4 1 0 0 0 0 0 22 0 10 20 30 40 50 60 EAL2 EAL3 EAL4 EAL5 EAL6 PP FR NL US DE CA
Top 10 laboratories in 2023 46 32 31 30 24 23 17 17 13 12 SGS BRIGHTSIGHT (*) APPLUS CYBERSECURITY LABS (LIGHTSHIP + JTSEC + APPLUS)(*) TÜV (*) CEA - LETI (FR) GOSSAMER (US) THALES (FR) INFORMATION TECHNOLOGY SECURITY CENTER (JP) INTERTEK (ACUMEN + EWA + ACUCERT) (*) LEIDOS (US) COMBITECH (SE)
Use of PPs in 2023 / Top PPs Certifications with PP 77% Certifications without PP 23% 15.97% 14.29% 13.87% 12.61% 7.98% Protection Profile for Hardcopy Devices Security IC Platform Protection Profile Protection Profile for Network Devices Machine Readable Travel Document Protection Profile for Application Software
Use of collaborative PPs Collaborative PPs 17% Non-Collaborative PPs 74% Collaborative PPs vs Non-Collaborative PPs Network Devices 78% Full Drive Encryption 5% Stateful Traffic Filter Firewalls 17% cPP certifications 2023
26 23 20 17 16 0 5 10 15 20 25 30 Top manufacturers of certified products in 2023 = New -1 +1 =
Top certified categories in 2023 Note: categories with less than 3% were omitted for readability ICs, Smart Cards and Smart Card-Related Devices and Systems 34% Other Devices and Systems 19% Network and Network- Related Devices and Systems 15% Multi-Function Devices 12% Boundary Protection Devices and Systems 5% Data Protection 5% Operating Systems 4% Products for Digital Signatures 3% Access Control Devices and Systems 3%
Products uploaded from CB websites to CC Portal 310 296 14 0 50 100 150 200 250 300 350 Total CCPortal + CBs CCPortal CB websites only Product publication sites
333 371 382 356 310 0 50 100 150 200 250 300 350 400 450 Number of certifications in the last 5 years 413 Forecast for end of 2023
Certifications per scheme – last 5 years FR 18% US 17% NL 14% DE 13% JP 7% CA 7% SE 5% SP 5% IT 3% KR 3% MY 2% TR 1% AU 1% SG 1% IN 1%
Scheme growth 2022-2023 (until 29/09/23) 1 6 6 1 59 19 17 3 59 4 26 23 5 40 15 72 3 7 7 1 58 18 16 2 57 2 22 19 1 32 7 58 0 10 20 30 40 50 60 70 80 TR KR SG NO NL SP SE IN US AU CA JP MY DE IT FR 2022 2023
Evolution of top 5 laboratories in the last 5 years 23 30 33 12 37 40 35 23 27 37 37 53 27 18 14 52 31 21 31 23 46 31 17 32 5 SGS Brightsight (*) TÜV (*) INTERTEK (Acumen + EWA + Acucert) (*) APPLUS Cybersecurity Labs (Lightship + jtsec + Applus)(*) SERMA (FR) 2019 2020 2021 2022 2023
Lab growth 2022-2023 (until 29/09/23) 12 17 34 24 23 4 30 4 3 32 7 4 11 31 21 20 1 28 2 1 31 6 Combitech (SE) INFORMATION TECHNOLOGY SECURITY CENTER (JP) TÜV (*) GOSSAMER (US) THALES (FR) KOSYAS (KR) CEA - LETI (FR) Booz Allen (US) BEAM (TR) APPLUS Cybersecurity Labs (Lightship + jtsec + Applus)(*) Riscure (NL) Lab positive growth 2022-2023 (sept) 2022 2023 1 0 1 0 0 5 2 5 9 3 2 3 2 3 8 12 23 27 CCLAB BAE (*) KSEL (KR) Technis Blu (IT) ERTL (IN) SRC SECURITY (DE) ECSEC Laboratory Inc. SERMA (FR) ATSEC (*) Lab negative growth 2022-2023 2022 2023
Statistics – Categories evolution (5 years) 15 19 8 9 6 92 129 116 120 101 43 47 55 43 45 48 60 64 53 50 0 20 40 60 80 100 120 140 2019 2020 2021 2022 2023 Access Control Devices and Systems Biometric Systems and Devices Boundary Protection Devices and Systems Data protection ICs, Smart Cards and Smart Card-Related Devices and Systems Mobility Multi-Function Devices Network and Network-Related Devices and Systems
CC Certification Industry in 2023  Strong Year: 2023 performance probably will end as the best year of the last 5.  The top-3 schemes dominate (FR, NL, USA), tied up, with difference over the rest.  Assurance levels: High EALs > 47%, followed by PP-Compliant >36%.  PPs in demand, used in 77% of the certifications. Hardcopy Devices PP was the top non-CPP, with high representation of Secure Elements and MRTD, and Network Devices the top-CPP.  SGS Brightsight was the top laboratory, followed by Applus Cyber. Labs and TÜV.  Idemia was the #1 vendor and 4 out of 5 in the top are smartcard manufacturers.
The near future brings changes to CC industry  In ICCC 2022 we already highlighted the growing importance of national lightweight certifications and the shifting of the industry to cloud-based certifications… but it hasn’t affected the numbers so far.  CC2022 will impact labs and vendors  New evaluations with CCv3.1 R5 will be admitted only until 30 June 2024.  PPs need to be migrated to CC2022 before end of 2027.  Will PP0117 start replacing PP0084 for some products in 2024?  EUCC could significantly change the CC certification landscape in Europe:  Implementing act draft already published. After 1 year transition period, EU countries will no longer issue certificates under CCRA.  Some vendors could slow down their certification roadmap during that period.  We still need to see how American and Asian CC market will react.
jtsec Beyond IT Security Granada & Madrid – Spain hello@jtsec.es @jtsecES www.jtsec.es Contact “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie

Recomendados

2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics report
Javier Tallón
 
2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?
Javier Tallón
 
Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...
Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...
Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...
SlideTeam
 
Presentation-MeitY-Schemes-24Feb2021.pptx
Presentation-MeitY-Schemes-24Feb2021.pptxPresentation-MeitY-Schemes-24Feb2021.pptx
Presentation-MeitY-Schemes-24Feb2021.pptx
abhishekkumar807235
 
Mike Blades - 2018 Small Unmanned Systems Business Expo Presentation
Mike Blades - 2018 Small Unmanned Systems Business Expo PresentationMike Blades - 2018 Small Unmanned Systems Business Expo Presentation
Mike Blades - 2018 Small Unmanned Systems Business Expo Presentation
sUAS News
 
INGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and SteelINGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and Steel
Chetan Anand Aulla
 
TECHPRE_BusinessPlan_Presentation-AICA.pptx
TECHPRE_BusinessPlan_Presentation-AICA.pptxTECHPRE_BusinessPlan_Presentation-AICA.pptx
TECHPRE_BusinessPlan_Presentation-AICA.pptx
oykems
 

Recomendados

2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics report
Javier Tallón
 
2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?
Javier Tallón
 
Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...
Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...
Stock Pitch For Satellite Based Solutions PowerPoint Presentation Ppt Slide T...
SlideTeam
 
Presentation-MeitY-Schemes-24Feb2021.pptx
Presentation-MeitY-Schemes-24Feb2021.pptxPresentation-MeitY-Schemes-24Feb2021.pptx
Presentation-MeitY-Schemes-24Feb2021.pptx
abhishekkumar807235
 
Mike Blades - 2018 Small Unmanned Systems Business Expo Presentation
Mike Blades - 2018 Small Unmanned Systems Business Expo PresentationMike Blades - 2018 Small Unmanned Systems Business Expo Presentation
Mike Blades - 2018 Small Unmanned Systems Business Expo Presentation
sUAS News
 
INGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and SteelINGENIUS_XIMB_Iron and Steel
INGENIUS_XIMB_Iron and Steel
Chetan Anand Aulla
 
TECHPRE_BusinessPlan_Presentation-AICA.pptx
TECHPRE_BusinessPlan_Presentation-AICA.pptxTECHPRE_BusinessPlan_Presentation-AICA.pptx
TECHPRE_BusinessPlan_Presentation-AICA.pptx
oykems
 
The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14
Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
Shane Coughlan
 
Triple Forward Camera from Tesla Model 3
Triple Forward Camera from Tesla Model 3 Triple Forward Camera from Tesla Model 3
Triple Forward Camera from Tesla Model 3
system_plus
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
Investors Presentation Q3 FY22WFWGWGFGGDFGD
Investors Presentation Q3 FY22WFWGWGFGGDFGDInvestors Presentation Q3 FY22WFWGWGFGGDFGD
Investors Presentation Q3 FY22WFWGWGFGGDFGD
AshishKumarBhadauria
 
GSC Platform pitch
GSC Platform pitchGSC Platform pitch
GSC Platform pitch
GSC Platform
 
Cisco Case Analysis
Cisco Case AnalysisCisco Case Analysis
Cisco Case Analysis
perk2624
 
IO SM Manco Report_April 2017.pptx
IO SM Manco Report_April 2017.pptxIO SM Manco Report_April 2017.pptx
IO SM Manco Report_April 2017.pptx
Boris Berovic
 
edgc 245620 Algorithm Investment Report
edgc 245620 Algorithm Investment Reportedgc 245620 Algorithm Investment Report
edgc 245620 Algorithm Investment Report
알고리즘 기업분석 컨설팅-알기컨,algikeon
 
IRJET- On Board Diagnostics (OBD)3 for Vehicular Management
IRJET- On Board Diagnostics (OBD)3 for Vehicular ManagementIRJET- On Board Diagnostics (OBD)3 for Vehicular Management
IRJET- On Board Diagnostics (OBD)3 for Vehicular Management
IRJET Journal
 
Rise awareness in standards - project presentation
Rise awareness in standards - project presentationRise awareness in standards - project presentation
Rise awareness in standards - project presentation
APPAU_Ukraine
 
yikc 232140 Algorithm Investment Report
yikc 232140 Algorithm Investment Reportyikc 232140 Algorithm Investment Report
yikc 232140 Algorithm Investment Report
알고리즘 기업분석 컨설팅-알기컨,algikeon
 
Work Plan 2023 Final @ 14-03-2023.pptx
Work Plan 2023 Final @ 14-03-2023.pptxWork Plan 2023 Final @ 14-03-2023.pptx
Work Plan 2023 Final @ 14-03-2023.pptx
sonutyagi20
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE
 
AT&S IR Presentation 9M_2019_20
AT&S IR Presentation 9M_2019_20AT&S IR Presentation 9M_2019_20
AT&S IR Presentation 9M_2019_20
AT&S_IR
 
Drone Market Forecasts: Promises and Reality
Drone Market Forecasts: Promises and RealityDrone Market Forecasts: Promises and Reality
Drone Market Forecasts: Promises and Reality
Colin Snow
 
Zero Defect Competition @ July 22.pptx
Zero Defect Competition @ July 22.pptxZero Defect Competition @ July 22.pptx
Zero Defect Competition @ July 22.pptx
sonutyagi20
 
2023 0819 True Blue Partners - Investor Conference Presentation.pdf
2023 0819 True Blue Partners - Investor Conference Presentation.pdf2023 0819 True Blue Partners - Investor Conference Presentation.pdf
2023 0819 True Blue Partners - Investor Conference Presentation.pdf
Sunil Grover
 
Tennelli_Cost of Quality
Tennelli_Cost of QualityTennelli_Cost of Quality
Tennelli_Cost of Quality
Tennelli Industries (Pty) Ltd
 
Goodix’s Ultra-Thin Optical In-Display Fingerprint
Goodix’s Ultra-Thin Optical In-Display FingerprintGoodix’s Ultra-Thin Optical In-Display Fingerprint
Goodix’s Ultra-Thin Optical In-Display Fingerprint
system_plus
 
Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
Javier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 

Más contenido relacionado

Similar a ICCC2023 Statistics Report, has Common Criteria reached its peak?

2023 0819 True Blue Partners - Investor Conference Presentation.pdf
2023 0819 True Blue Partners - Investor Conference Presentation.pdf2023 0819 True Blue Partners - Investor Conference Presentation.pdf
2023 0819 True Blue Partners - Investor Conference Presentation.pdf
Sunil Grover
 

Similar a ICCC2023 Statistics Report, has Common Criteria reached its peak? (20)

The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14The State of Open Source for Software Alliance Germany 2023-04-14
The State of Open Source for Software Alliance Germany 2023-04-14
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
Triple Forward Camera from Tesla Model 3
Triple Forward Camera from Tesla Model 3 Triple Forward Camera from Tesla Model 3
Triple Forward Camera from Tesla Model 3
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
Investors Presentation Q3 FY22WFWGWGFGGDFGD
Investors Presentation Q3 FY22WFWGWGFGGDFGDInvestors Presentation Q3 FY22WFWGWGFGGDFGD
Investors Presentation Q3 FY22WFWGWGFGGDFGD
 
GSC Platform pitch
GSC Platform pitchGSC Platform pitch
GSC Platform pitch
 
Cisco Case Analysis
Cisco Case AnalysisCisco Case Analysis
Cisco Case Analysis
 
IO SM Manco Report_April 2017.pptx
IO SM Manco Report_April 2017.pptxIO SM Manco Report_April 2017.pptx
IO SM Manco Report_April 2017.pptx
 
edgc 245620 Algorithm Investment Report
edgc 245620 Algorithm Investment Reportedgc 245620 Algorithm Investment Report
edgc 245620 Algorithm Investment Report
 
IRJET- On Board Diagnostics (OBD)3 for Vehicular Management
IRJET- On Board Diagnostics (OBD)3 for Vehicular ManagementIRJET- On Board Diagnostics (OBD)3 for Vehicular Management
IRJET- On Board Diagnostics (OBD)3 for Vehicular Management
 
Rise awareness in standards - project presentation
Rise awareness in standards - project presentationRise awareness in standards - project presentation
Rise awareness in standards - project presentation
 
yikc 232140 Algorithm Investment Report
yikc 232140 Algorithm Investment Reportyikc 232140 Algorithm Investment Report
yikc 232140 Algorithm Investment Report
 
Work Plan 2023 Final @ 14-03-2023.pptx
Work Plan 2023 Final @ 14-03-2023.pptxWork Plan 2023 Final @ 14-03-2023.pptx
Work Plan 2023 Final @ 14-03-2023.pptx
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024
 
AT&S IR Presentation 9M_2019_20
AT&S IR Presentation 9M_2019_20AT&S IR Presentation 9M_2019_20
AT&S IR Presentation 9M_2019_20
 
Drone Market Forecasts: Promises and Reality
Drone Market Forecasts: Promises and RealityDrone Market Forecasts: Promises and Reality
Drone Market Forecasts: Promises and Reality
 
Zero Defect Competition @ July 22.pptx
Zero Defect Competition @ July 22.pptxZero Defect Competition @ July 22.pptx
Zero Defect Competition @ July 22.pptx
 
2023 0819 True Blue Partners - Investor Conference Presentation.pdf
2023 0819 True Blue Partners - Investor Conference Presentation.pdf2023 0819 True Blue Partners - Investor Conference Presentation.pdf
2023 0819 True Blue Partners - Investor Conference Presentation.pdf
 
Tennelli_Cost of Quality
Tennelli_Cost of QualityTennelli_Cost of Quality
Tennelli_Cost of Quality
 
Goodix’s Ultra-Thin Optical In-Display Fingerprint
Goodix’s Ultra-Thin Optical In-Display FingerprintGoodix’s Ultra-Thin Optical In-Display Fingerprint
Goodix’s Ultra-Thin Optical In-Display Fingerprint
 

Más de Javier Tallón

Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
Javier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easy
Javier Tallón
 

Más de Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easy
 

Último

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Último (20)

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

ICCC2023 Statistics Report, has Common Criteria reached its peak?

  • 1.
  • 2.  José Manuel Pulido:  Common Criteria expert and Lead Consultant in jtsec.  CCToolbox developer  Contributor to ENISA, Eurosmart and ISO projects and CEN/CENELEC.  More than 12 years of experience in cybersecurity technologies  Speaker at several conferences including CCUF20, ICCC20, ICCC21 and ICC22 About me  jtsec is part of the A+ group along with Lightship Security. We have labs in Canada, USA and Spain.  Cybersecurity evaluation & consultancy services  Common Criteria, LINCE and ETSI EN 303 645 accredited lab.  Developers of the most powerful tool for Common Criteria, CCToolbox.  Involved in standardization activities (ISO, CEN/CENELEC, ISCI WGs, ENISA CSA WGs, CCUF, CMUF, ERNCIP, …)  Members of the SCCG (Stakeholder Cybersecurity Certification Group) About us
  • 3.
  • 4. Collecting CC statistics with CC Scraper CC Scraper gathers “fresh” data from ccportal and CB websites. Sometimes data is uploaded or changed a-posteriori, and previously collected statistics change
  • 5. CC Scraper keeps facing challenges and evolving  We continuously maintain and improve CC scraper:  Many CB webpages frequently change their structure  Evaluation labs not listed. We have to parse and OCR reports.  Combining certificate lists is challenging.  We plan adopting new technologies to improve the process.  Results are close to accurate, but could have small variations
  • 6.  With the statistics generated, we publish CC statistics reports in jtsec webpage, at least once per year. CC Scraper reports  https://www.jtsec.es/blog-entry/85/common-criteria- statistics-report-for-2020  https://www.jtsec.es/blog-entry/106/common-criteria- statistics-report-for-2021  https://www.jtsec.es/blog-entry/125/common-criteria- statistics-report-for-2022
  • 7. Disclaimer: CC scraper was run on 29th of September 2023. The statistics are calculated with the data for the first 9 months of the year.
  • 8. Number of CC certificates in 2023  310 products were CC certified during 2023 (data until 29/09/2023) 87 117 106 0 20 40 60 80 100 120 140 2023 Q3 2023 Q2 2023 Q1
  • 9. Top certifier schemes in 2023 58 58 57 32 22 19 18 16 7 7 7 3 2 2 1 1 FR NL US DE CA JP SP SE IT KR SG TR AU IN MY NO
  • 10. Percentage of certifications per scheme in 2023 FR 19% NL 19% US 19% DE 10% CA 7% JP 6% SP 6% SE 5% IT 2% KR 2% SG 2% TR 1% AU 1% IN 1%
  • 11. Assurance levels used in 2023 EAL1 0.65% EAL2 10.65% EAL3 3.23% EAL4 23.87% EAL5 15.81% EAL6 9.03% EAL7 0.00% PP 36.77%
  • 12. Product assurance level per country in 2023 (top 5) 6 0 12 27 13 0 3 2 25 16 11 1 0 0 0 0 0 57 1 6 17 3 4 1 0 0 0 0 0 22 0 10 20 30 40 50 60 EAL2 EAL3 EAL4 EAL5 EAL6 PP FR NL US DE CA
  • 13. Top 10 laboratories in 2023 46 32 31 30 24 23 17 17 13 12 SGS BRIGHTSIGHT (*) APPLUS CYBERSECURITY LABS (LIGHTSHIP + JTSEC + APPLUS)(*) TÜV (*) CEA - LETI (FR) GOSSAMER (US) THALES (FR) INFORMATION TECHNOLOGY SECURITY CENTER (JP) INTERTEK (ACUMEN + EWA + ACUCERT) (*) LEIDOS (US) COMBITECH (SE)
  • 14. Use of PPs in 2023 / Top PPs Certifications with PP 77% Certifications without PP 23% 15.97% 14.29% 13.87% 12.61% 7.98% Protection Profile for Hardcopy Devices Security IC Platform Protection Profile Protection Profile for Network Devices Machine Readable Travel Document Protection Profile for Application Software
  • 15. Use of collaborative PPs Collaborative PPs 17% Non-Collaborative PPs 74% Collaborative PPs vs Non-Collaborative PPs Network Devices 78% Full Drive Encryption 5% Stateful Traffic Filter Firewalls 17% cPP certifications 2023
  • 16. 26 23 20 17 16 0 5 10 15 20 25 30 Top manufacturers of certified products in 2023 = New -1 +1 =
  • 17. Top certified categories in 2023 Note: categories with less than 3% were omitted for readability ICs, Smart Cards and Smart Card-Related Devices and Systems 34% Other Devices and Systems 19% Network and Network- Related Devices and Systems 15% Multi-Function Devices 12% Boundary Protection Devices and Systems 5% Data Protection 5% Operating Systems 4% Products for Digital Signatures 3% Access Control Devices and Systems 3%
  • 18. Products uploaded from CB websites to CC Portal 310 296 14 0 50 100 150 200 250 300 350 Total CCPortal + CBs CCPortal CB websites only Product publication sites
  • 19.
  • 21. Certifications per scheme – last 5 years FR 18% US 17% NL 14% DE 13% JP 7% CA 7% SE 5% SP 5% IT 3% KR 3% MY 2% TR 1% AU 1% SG 1% IN 1%
  • 22. Scheme growth 2022-2023 (until 29/09/23) 1 6 6 1 59 19 17 3 59 4 26 23 5 40 15 72 3 7 7 1 58 18 16 2 57 2 22 19 1 32 7 58 0 10 20 30 40 50 60 70 80 TR KR SG NO NL SP SE IN US AU CA JP MY DE IT FR 2022 2023
  • 23. Evolution of top 5 laboratories in the last 5 years 23 30 33 12 37 40 35 23 27 37 37 53 27 18 14 52 31 21 31 23 46 31 17 32 5 SGS Brightsight (*) TÜV (*) INTERTEK (Acumen + EWA + Acucert) (*) APPLUS Cybersecurity Labs (Lightship + jtsec + Applus)(*) SERMA (FR) 2019 2020 2021 2022 2023
  • 24. Lab growth 2022-2023 (until 29/09/23) 12 17 34 24 23 4 30 4 3 32 7 4 11 31 21 20 1 28 2 1 31 6 Combitech (SE) INFORMATION TECHNOLOGY SECURITY CENTER (JP) TÜV (*) GOSSAMER (US) THALES (FR) KOSYAS (KR) CEA - LETI (FR) Booz Allen (US) BEAM (TR) APPLUS Cybersecurity Labs (Lightship + jtsec + Applus)(*) Riscure (NL) Lab positive growth 2022-2023 (sept) 2022 2023 1 0 1 0 0 5 2 5 9 3 2 3 2 3 8 12 23 27 CCLAB BAE (*) KSEL (KR) Technis Blu (IT) ERTL (IN) SRC SECURITY (DE) ECSEC Laboratory Inc. SERMA (FR) ATSEC (*) Lab negative growth 2022-2023 2022 2023
  • 25. Statistics – Categories evolution (5 years) 15 19 8 9 6 92 129 116 120 101 43 47 55 43 45 48 60 64 53 50 0 20 40 60 80 100 120 140 2019 2020 2021 2022 2023 Access Control Devices and Systems Biometric Systems and Devices Boundary Protection Devices and Systems Data protection ICs, Smart Cards and Smart Card-Related Devices and Systems Mobility Multi-Function Devices Network and Network-Related Devices and Systems
  • 26.
  • 27. CC Certification Industry in 2023  Strong Year: 2023 performance probably will end as the best year of the last 5.  The top-3 schemes dominate (FR, NL, USA), tied up, with difference over the rest.  Assurance levels: High EALs > 47%, followed by PP-Compliant >36%.  PPs in demand, used in 77% of the certifications. Hardcopy Devices PP was the top non-CPP, with high representation of Secure Elements and MRTD, and Network Devices the top-CPP.  SGS Brightsight was the top laboratory, followed by Applus Cyber. Labs and TÜV.  Idemia was the #1 vendor and 4 out of 5 in the top are smartcard manufacturers.
  • 28. The near future brings changes to CC industry  In ICCC 2022 we already highlighted the growing importance of national lightweight certifications and the shifting of the industry to cloud-based certifications… but it hasn’t affected the numbers so far.  CC2022 will impact labs and vendors  New evaluations with CCv3.1 R5 will be admitted only until 30 June 2024.  PPs need to be migrated to CC2022 before end of 2027.  Will PP0117 start replacing PP0084 for some products in 2024?  EUCC could significantly change the CC certification landscape in Europe:  Implementing act draft already published. After 1 year transition period, EU countries will no longer issue certificates under CCRA.  Some vendors could slow down their certification roadmap during that period.  We still need to see how American and Asian CC market will react.
  • 29. jtsec Beyond IT Security Granada & Madrid – Spain hello@jtsec.es @jtsecES www.jtsec.es Contact “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie

Notas del editor

  1. Hello ICCC 2023. Hello DC. My name is Jose Pulido, and today I am here to present the statistics of the Common Criteria certification industry in the current year. It is an honor to be a speaker one more year in this Common Criteria Conference; And I am doubly happy because I had wanted to visit the USA for a long time. I really hope you find this presentation interesting!
  2. Let me briefly introduce myself: I’m currently Lead Cybersecurity Consultant at jtsec. I have been involved in the Common Criteria, cybersecurity in general and development of tools for CC professionals for several years. I have also participated in various standardization groups in the last years. And I am proud to say that this my fourth year in ICCC. The statistics that I will present to you today, and the tools used to create them are elaborated in jtsec, a CC laboratory, part of the Applus+ group (along with Lightship security). Our group has labs in Canada, USA and Spain, and we deeply involved in many cybersecurity standardization activities. Feel free to check our website or linkedin profiles for more information on our activities!
  3. And I would also like to introduce you CC scraper, the tool used to create the statistics in this presentation.
  4. Probably, many of you already had the chance to learn about CC Scraper in previous editions of ICCC. I’ll briefly introduce or remind you this interesting tool. CCScraper is a script written in Python language that collects data from two principal sources: The main source is the list of certified products in commoncriteriaportal.org The second source is each of the websites of each National Certification Body, that produces and publishes Common Criteria certificates. From these two sources, the scraper collects and gather all the relevant data for each certified product: date of certification, assurance level, Protection Profile, product category, certification laboratory… and much more. The data is interpreted and combined into a list of unique certified product, and we generate several statistics from that data.
  5. Almost every time that we run the scraper we find challenges, so it is under continuous development. From year to year, many websites of certification bodies change their structure, so we have to partially rewrite their parsers. Also, identifying which labs performed the evaluations of certified products is not an easy task. They are not listed in CC Portal or in many CB websites. So, we end up having to parse the PDF of the certification report and, sometimes, even applying OCR because the PDF only contains scanned images. Moreover, for products listed in both CC Portal and in websites of national CBs, combining products without duplicating entries is complicated: between the two lists, the names of the products vary, the EALs are expressed in different formats, or some bytes vary in the PDFs of Security Targets or CRs. Therefore we are reviewing our algorithms to improve the process, and trying to incorporate new technologies to make it more accurate. Please, keep in mind that the numbers extracted are close to accurate, but there could be a small margin of variation. So, if you are a vendor and today you are told that your company certified one or two less products than it did, or you work in a laboratory and your competitor has 1 more certification that it should, please don’t get mad! We are happy to receive your feedback and keep improving our tool.
  6. We would like to remind you that, at the beginning of each year, we publish the statistics for the full previous year in jtsec blog. All the reports for previous years are available there for you to download and check. For 2023, the statistics report will be published at the beginning of 2024. So, remember to keep an eye out on it!
  7. We will start by presenting the statistics for 2023. Please, take into account that the data used for the elaboration of the current statistics reaches out only until 29 of September 2023. Therefore, all the certificates uploaded during October are not considered for these statistics. Also, when comparing the numbers of 2023 with the ones in previous years, expect them to be lower as the last quarter data is still to be collected.
  8. This year, until end of September, three hundred and ten products were certified under Common Criteria. The chart shows how the certifications were distributed in time across the first three quarters. Although these statistics don’t take into account the certifications in the last quarter of the year, the numbers already indicate that 2023 could be an excellent year for the CC certification industry. Actually, we estimate that, at the end of the year, there should be more than 410 (four hundred and ten) certifications, that would make it one of the best years for the sector.
  9. CC scrapper allows us to tailor a very significant statistic regarding the health of the CC industry: the ranking of certifications per scheme for the year. The chart show three big winners, almost tied up in number: France, Netherlands and US. They have been uncontestable leaders this year with 58 and 57 certifications each. Germany is in a solid fourth place, with 32 certifications, with some difference over the following schemes. In the mid table we find Canada with 22, Japan with 19, Spain with 18 and Sweden with 16. Following, Italy, Korea and Singapore follow achieved 7 certificates each. And, with 3 or less certifications each we find Turkey, Australia, Indonesia, Malaysia and Norway.
  10. If we transform these absolute numbers into relative numbers, as in this pie chart, the first thing that comes to attention is that France, Netherland and USA together issued 57% of all the CC certificates this year, this is almost 60%!, This stresses the big gap existing currently between these three countries and the rest. In the EUROPEAN LANDSCAPE, Germany issued 10% of the total certificates, remaining an important actor. It is followed in EUROPE by Spain with 6%, Sweden with 5% and then Italy with 2%. In America, after USA, Canada comes, with 7% out of the total certificates. And, in the Asian Market, as a remarkable number, the leader was Japan, which issued 6% of the certificates.
  11. Aside from the number of certifications, it is also meaningful to explore which assurance levels were the most used ones in the certifications carried out this year. AS shown in the chart, the PP-compliant evaluations have been the most frequent ones. There is no surprise here, as they are mandatory in USA and Canada, and they are spreading in other regions as well. But the chart also shows that the high assurance certifications together add up to roughly the half of the total. This year, the most common high assurance level used was EAL4, with more than 23%. Also, the high percentages of EAL5 certifications (16%), and EAL6 ones (9%) catch our attention. Probably the smartcard and secure element industry has a lot to say here. This year no products were certified with EAL7. Low assurance evaluations haven’t been very frequent, EAL2 only reached around 10%. Therefore, we could say that this year the certifications were almost polarized between PP-compliant and high EAL certifications.
  12. This statistic gives us a bit more of insight on how the top 5 certifying schemes distributed their certification effort across assurance levels. We have omitted EAL7 and EAL1 because none of these schemes certified any product with those EALs. If we look at the bars, as expected, USA and Canada exclusively issued certifications of PP-compliant products. But, in the other three schemes, PP-compliant evaluations were minimally used. EAL4 certifications were issued mainly in the Netherlands (with 25), followed by Germany and France. In EAL5 certifications, France was the uncontestable leader, with 27, Netherlands was the second with 16., and Germany the third with only 3. For EAL6 certifications, France and Netherlands are very close to each other; EAL2 certifications happened mainly in France, and six EAL3 ones were carried out in Germany.
  13. One of the most expected statistics IS the ranking of top certifying laboratories. This year the laboratory that certified the most products was SGS Brightsight, the winner so far, with 46 certifications. In the second place, we find Applus cybersecurity labs with 32. Very close, we have TÜV in the third place, with 31 certifications. CEA-LETI is in the fourth place with 30, followed by Gossamer is in the fifth place as the most representative lab in US, with 24. Another French lab, Thales is in sixth place with 23. Outside of top schemes, ITSC in Japan exhibited very good numbers, with 17, and it is tied up with Intertek group (accounting Acumen, EWA and Acucert). The ninth place is for LEIDOS, with 13 certifications. And finally, Combitech is the representative of the Swedish scheme, who did very well this year with 12 certifications.
  14. This statistic is very representative of the behaviour of the industry: [..] 77% of the certifications this year were carried out using compliance with a Protection Profile. One remarkable fact to highlight that there are still many evaluations that don’t use a PP… one posible reasons for it could be that exact conformance is not always feasible to apply, as some products don’t implement the 100% of the required elements of compliance, and this conformance doesn’t has as much flexibility as strict one has. The most used PP during this year was the one for Hardcopy Devices, with 15% of the certifications. This PP was used for multi-function devices, mainly in Japan, but it also was very frequent in Canada. The chart also shows Smartcards and similar devices were the most certified category this year, with the PP0084 in the second place, and the Machine Readable Travel Document PP in the fourth place. Sometimes this is due to multiple configurations of the same device being certified in the same process – for example, with BAC, EAC or PACE. In the third place we have the CPP for Network devices, very representative and one more year in the top. And the fifth place was for the Application software PP, which was also widely used with almost 8%.
  15. We also collected information about the use of collaborative protection profiles. In 2023, only 17% of the Protection Profiles used were collaborative PPs . As we saw before, the most used PPs (Hardcopy devices, Security Ics and Machine Readable Travel Document) weren’t collaborative. The second pie chart shows the most used cPPs this year. The winner is of course the cPP for Network devices, with a huge difference over the second, one more year in the top of the cPPs. The second one is the Stateful Traffic Filter Firewalls cPP with seventeen percent, and the third place is for the Full Drive Encryption CPP, in 5% of the certifications with cPPs.
  16. And here goes one of the most popular statistics of this presentation: the top five manufacturers of CC certified products. Big congratulations to Idemia, the winner this year with 26 certifications. In 2022 they weren’t in the top 5 and they came back straight to the top. NXP is close in the second place with 23., the same position a in the previous year. Infineon gets the bronze medal with 20, one position above than in 2022, and Samsung is the fourth place (going down one position) with 17. Huawei is the only vendor in the top 5 that isn’t specialized in the industry of Smartcard; they stood one more year on the top with certifications of network devices. Congratulations to all the winners!
  17. This chart shows the categories of products that were certified during this year, and it confirms what was already suggested by previous statistics. The main category of certified products was Smartcards and similar devices, with 34%. The second place, far away with 15%, is for network devices. Multi-function devices have an important representation with 12%. Other types of products with representation are Boundary protection devices (5%), Data Protection (also 5%) and operating systems (with 4%). Access Control Devices and Digital signature products also represent a 3%. There is a 19% of products falling under “Other devices and systems”, for products not belonging to other categories. We plan to improve the scraper in the following years to provide more accuracy and put less products under this generic category.
  18. As collectors of CC certification data, this statistic is specially interesting to us. Since the first executions of the scraper, we noticed that not all the certified products are uploaded to commoncriteriaportal, some of them are published just in its National CB website. But… this year we are very happy because the big majority of them were published in CC portal as well. 95% of the certified products can be found in commoncriteriaportal.org, whereas only 14 of them are published only in national CB. In comparison with previous years, this statistic has improved a lot, so congratulations to all the individuals responsible for this good work.
  19. Those were the statistics for 2023. Now, we’ll present some relevant comparative statistics with the previous years, up to 2019.
  20. This chart shows a trendline for the total number of certifications carried out during the last five years. In 2019 333 (three hundred and thirty three) products were certified. Then, the trend line shows that 2020 and 2021 were better years for the industry, with 371 (three hundred and seventy one) and (382) three hundred and eighty two respectively. Then, in 2022, the numbers decayed, with 356 (three hundred and fifty six) certifications, but still with more certifications than in 2019. Please, remember that we collected data for 2023 only until twenty-ninth of September. Up to that date, 310 (three hundred and ten) products were certified but, by calculating proportionally with respect to the average number of certifications per month, we can estimate that by the end of the year there will be around 413 (four hundred and thirteen) certified products. If that is confirmed, 2023 will be the best year of the decade so far. Let’s hope that the forecast are fulfilled.
  21. We also calculated the relative number of certifications per scheme in the last 5 years. Some very relevant information can be extracted from this statistic: (it shows France as the winner, with USA very close). - - it is confirmed that the triplet USA, France and Netherlands became a consolidated top-three. - Germany is in the fourth place, although it was common to see them in top-3 in previous years. Japan and Canada follow with 7% in the fifth and sixth places… …and then Spain and Sweden with 5% each, in the seventh and eighth places. The list continues with Italy, Korea, Malaysia, Turkey, Australia, Singapore and India, with smaller numbers.
  22. This year we elaborated a new statistic, to compare how well the schemes did in 2023 (with orange bars) with respect to 2022 (with blue bars). Even when, for 2023 data has been collected only for the first 9 months of the year, we can already see that the number of certification in most countries is, in general, very close to that achieved in 2022. This means that, probably, at the end of the year most schemes will have surpassed their numbers for 2022, We only find a couple of deviations in this list: France is 14 certifications below in comparison in 2022, and Germany is 8 below, but with three months ahead, they can still catch up. In the case of Italy, they have half the certifications than in the previous year, but nothing prevents them from getting close to their pervious numbers at the end of this year.
  23. This statistics shows the evolution of the top laboratories in the last five years. Important warning: the labs in this list are those with the highest accumulated number of certifications in the last 5 years, and not in the full history. The chart shows that laboratories such as SGS Brightsight and Applus+ Group maintained a growing trend over the last 5 years, consistently increasing their numbers every year. TÜV maintained stable numbers around 30 certifications, except in 2021, where they peaked up to 53. And two of the labs in the chart show downwards trends since 2019: Intertek group, that went from 33 in 2019 to 17 this year; and SERMA, with low numbers in 2021, and only 5 certifications so far in 2023.
  24. AND it is also interesting to check the evolution of the laboratories between 2022 and 2023. The chart in the left shows those laboratories that, until October 2023, have certified significantly less products than in the previous year. We can highlight among those, ATSEC (going from 27 to 9) , SERMA (going down from 23 to 5) and ECSEC (who fell from 12 to only 2). Other labs in the chart, with smaller numbers, have certified so far one or zero products. We would like to highlight that this is not a criticism to those labs, it could be that the last year they certified more products than usual, or that they are focused currently in other type of certifications. In the other side of the coin, the chart in the right shows those labs that up to October 2023 already did better than in 2022. We can highlight, for example, Combitech in Sweeden (from 4 to 12), or ITSC in Japan (going up from 11 to 17) or KOSYAS in Korea or BEAM in Turkey have already exceeded their previous year's figure by quite a margin as well.
  25. This chart shows how the number of certifications in certain relevant categories evolved throughout the last 5 years. First, the order of the lines in the chart reveals that, like in the current year, Smartcards are clearly in the top one, followed in the distance by Network devices and Multi-function devices. Far away are other categories like biometrics, data protection, mobility and others. The idea of this statistic was to show if some categories have became more popular in the last years. For example, could have expected that mobility or IoT would have increase their numbers recently, but it didn’t happen. Lastly, the evolution of the main categories shows a stable line, with a shape very similar to that of the global number of certifications.
  26. Well, There are much more statistics that we generate, and a lot of interesting situations to comment on, but unfortunately time is limited. However, we already provided a good set of representative statistics and, after having analyzed them, we are ready to draw some conclusions.
  27. As a summary, 2023 is being a really good year for the CC certification industry. With the numbers that we have shown and the estimation calculated for the end of the year, I think we aren’t being too optimistic if we forecast that it will be the best in the last five. We saw three that three schemes stand out clearly from the rest: France, Netherlands and USA, and they are in the top three year after year, as consolidated top schemes. The certification landscape was mainly distributed between two groups of certifications: High EALs, in the top, and PP-compliant certifications after them. For low assurance certifications, PP-compliant evaluations could have replace EAL2 and EAL1 ones due to good suitability of the existing PPs tor specific technologies. As such, 77% of the certifications used Protection profiles; the most popular PPs are the Hardcopy Devices PP and those related to Smartcards. Network devices is the most popular cPP. SGS Bright sight was the laboratory with the higher number of certifications, followed by Applus Cybersecurity Labs group and TÜV. The list of the top vendors was very similar to the one in 2022, with Idemia in the top 1. Huawei was the only vendor in the top 5 dedicated to smartcards.
  28. The good numbers of the year don’t show any symptoms of decaying, although, IN THE PAST, we spotted relevant changes in the certification landscape. While lightweight national certifications are becoming very popular, and cloud based products demand certification that CC doesn’t support well, this doesn’t seem to have affected the industry this year. But, CC itself is also changing and we need to see how it will affect the industry. First, vendors and labs need to adapt to CC 2022. After June 2024 it won’t be possible to use the old version, except with PPs certified for version 3.1. And those PPs need to be migrated to the CC 2022 before 2027. It’s possible that this could slow down CC certifications in the following years. On the other hand, EUCC is finally landing in Europe. A draft of the implementing act is already published. Then there will be 1 year transition period after which EU countries will no longer issue certificates under CCRA. This could also impact the industry and decelerate the certification roadmap of some vendors. And, of course, YET we have to see how the non-European markets evolve after this change roots in Europe. In conclusion, we need to keep an eye out on how the industry will evolve during the next couple of years, and JTSEC will be there to update the statistics, and analyze how these changes impact the number of certifications.
  29. Thank you very much for your attention. It’s been a pleasure to present these statistics here for you. If you want to ask any question, please feel free. If you think of any other interesting statistic to generate, or if you think some numbers are not accurate, please contact us and we will take your feedback into account to improve. THANK YOU.