I pulled this unpublished opinion piece out to send to you this month, to present an opposing viewpoint. Even if you haven’t read Bruce’s editorial, I believe you will find this interesting. At the end of the original, I have added some more directed “rebuttals” to some of Bruce’s comments. I do this with respect, and I hope I make this clear. Bruce Schneier has written more books than I, and has contributed more to computer and network security than I. Oh, and let me also be clear on this: it is not my intention to turn this newsletter into a point/counterpoint forum… except just this once.

[Full Disclosure: ICSA Labs does product certification. In the past I have worked as a consultant for them, working on test criteria and certification descriptions. I did not develop this program with them. I was a vendor — TIS, Gauntlet — when I first was involved in product certification. I am currently working with them to develop their professional certification program.]

Computer Security Product Certification

There are four types of certification, and they are based on who does the certifying. They are vendor certification, market certification, user (self) certification, and independent certification.

Each of these requires:

• access to the product,
• test criteria,
• a test environment,
• expertise, and
• time to test it.

 Vendor Certification

Market certification

• If there is something wrong with the product, I will not look stupid for buying it. Millions of others have also.
• If there was something wrong with the product, one of those other millions of users would have already found the problem and reported it. If the problem is yet undiscovered, the probability of it biting me first is very low.

Anyway, depending on this type of certification means we will always be waiting to use a product.

 User (Self) certification

You (the certification group) have to become expert in the area you are testing. Shouldn’t you become an expert to use a sophisticated security product, anyway? The knowledge needed to use a product safely and securely is much less than is needed to test it fully. (You have to know how to drive a car in order to test it, but the knowledge needed to safely drive and service a car is much less than is needed to certify it.)

 Independent Certification

There are two types of independent certification, public-sector and private-sector. The United Kingdom’s ITSEC scheme and the United States’ Common Criteria Project (CC) represent public-sector certification. ICSA is a private-sector certification group, as is West Coast.

I support and encourage private-sector certification. The reasons for this are:

• The committee nature of the Common Criteria organization and control
• Its size (the complete Common Criteria, as of Version 2.0, is 606 pages)
• The nature of the CC itself: there is a potential for many different test criteria for the same type of product

Next Steps

Quotes from CRYPTO-GRAM

“First, network security is too much of a moving target.”

Yes, it is. So you change the rules a bit. You have criteria that are good for a period of time … 6 months or a year … and you test against those criteria. The criteria are based on good practices. The result is a list of products that meet those criteria. Not as clean as being able to rate a safe a “TL-15” or rating a firewall — in building construction — as “2 hours”, but I think product certification is still a useful measure.

“Second, network security is much too hard to test.”

Granted, all one might be certifying is a firewall or antivirus product in one set configuration, surely matching no one individual’s set-up. Like EPA mileage numbers on automobiles (EPA is the US Environmental Protection Agency, which, among other things, publishes gasoline mileage numbers for new automiboles), your mileage may vary. But the certification is useful as a means of differentiation. And it causes vendors to make sure their products pass at least the “minimum” requirements.

“Third, I’m not sure how to make security ratings meaningful.”

To be meaningful we do not have to have hard numerical measurements. We do need test criteria and test results. Simple mechanisms — safes, fire doors — can have simple criteria. Complex mechanisms have complex, or more involved tests, and fuzzier results. Just as in security, we talk about assurances rather than “yes” or “no;” we settle for less determining, but still useful, criteria. “Pass” or “Fail” is meaningful and useful given meaningful criteria.

“Fourth, failures in network security are not always obvious.”

No argument here. For product certification, you test against products using known, good practices. When something new comes along, or you eventually find a hole in your logic, you change the criteria. It changes; products change; so retesting and re-certification is required.

“Fifth, I don’t see how a rating could take context into account.”

I do not believe it has to. Just as “your mileage may vary” doesn’t take your driving into account. The city/highway numbers in the EPA example attempt to capture this, but it still doesn’t really account for the infinite differences in driving styles, surfaces, conditions, etc. I maintain, certification does not have to be made up of numerically measurable criteria to be useful.

“Sixth, I don’t see how to combine this concept with security practices. Today the biggest problem with firewalls is not how they’re built, but how the user configures them.”

I agree that the test results — the certification — always assumes the product is configured and administered according to good industry practices. As long as this is understood, can’t we use the results? I think we can.

“And seventh, this kind of thing could easily fall into the trap of bashing small products and protecting large products.”

I recall this came up when I was a vendor and we were paying ICSA Labs money to test our firewall product. In practice, this was not a problem. It seems that if someone has the money to produce, sell, and market a product, the cost of certification is insignificant.

Bruce’s final concern is an important one to bring up. I paraphrase: the certifying or testing body will inadvertently become an extortionist. “Pay up and get certified or be branded as UNCERTIFIED.”

In practice, this has not happened. Not with ICSA Labs certification, not with Western Labs Checkmark certification, and probably will not with the Center for Internet Security. Why? I don’t know, but I have my hunches.

Links of interest: