please consider German BSI certification

Started by dstr, October 27, 2023, 10:25:10 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
May 18, 2024, 04:24:48 AM #30
The OP is 6 months old, but for anyone who ends-up here looking into CC...

Back in 2008, I wrote a paper on the published criticism about CC.
I presented the paper at a DoD conference.
"Common Criteria: A Survey of Its Problems and Criticism"
Department of Defense Cyber Crime Conference 2009, St. Louis, MO, January 2009

I just put the paper on my website, FYI:
https://jimyuill.com/cs-research/comp-sec-papers/

The paper is dated, but may be useful, as some of the problems likely persist.

Abstract: The Common Criteria (CC) is a computer-security standard that some governments use for procurement, e.g., the U.S. Department of Defense. To sell information-security products in these markets, CC certification is required. Much has been published about problems with CC, and there is extensive criticism of CC. For example, a director of the U.S. CC program was recently quoted as saying, "Defending the program is a full-time effort. It is a difficult job." This paper presents a survey of the problems and criticism reported about CC. The paper provides: (a) a categorization for the reported problems, (b) a survey of the reported problems, organized by category, and (c) an annotated guide to the sources that were especially useful and authoritative. This paper is intended as a resource for those who are: evaluating CC for possible use, preparing to use CC, or researching CC itself.

The criticism about CC fell into three categories:
* Problems with CC's effectiveness
* Problems with CC's stated limitations
* Problems with CC implementation
August 19, 2024, 03:05:05 PM #31
another update. The opnsense hardware distributor just tried to catch us with BSI promises. Then sold us a overpriced garbage device that failed on the initial installation. Therefor opnsense is not on the list anymore after 2026. Maybe I reach the 100 active devices until then.
August 19, 2024, 04:53:50 PM #32
With all due respect I don't think your posts (old and new) ooze professionalism. Part of it is knowing when to stop a discussion and the other part is knowing not to throw shade at random anonymous entities allegedly screwing you over. You can solve all those things in business scopes yet you choose to drag them out in public. ;)

It's time to let this thread go.
August 19, 2024, 06:52:24 PM #33
Does BSI stand for BullShit Initiative, or what? Wasted 10 minutes of my life trying to make sense of what this thread is about... Next time, I'd rather have some beer. WTH.
August 19, 2024, 06:58:07 PM #34
It's Bundesamt für Sicherheit in der Informationstechnik - Federal Bureau for IT Security, and they do publish a lot of pretty good things. Like the IT Grundschutzhandbuch - IT Basic Security Manual. A catalog with concrete advice for dozens of products and protocols and their respective recommendations.

My core argument is that their certification is so niche, no major vendor actually cares and I know of no large enterprise (and I worked for quite some) that would run anything but Cisco, Juniper, Checkpoint, Fortigate, ... all not BSI certified.

Only vendor that regularly re-certifies their firewalls with BSI is german Genua. They specialise in winning government contracts  ;)
The downside: their firewall actually cannot do much. Think of TIS FWTK or very early Gauntlet. Yes - that. So the firewall is highly secure, but it does not support many applications or modern concepts.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 19, 2024, 07:51:08 PM #35
Oh, OK, sounds pretty standard then - certification made for the sole purpose of being able to make the befriended vendors win in public tenders. I guess OPNsense rather needs the Dutch variant of the BSI certificate. ;D  :P
August 20, 2024, 11:05:24 AM #36
Quote from: doktornotor on August 19, 2024, 07:51:08 PM
Oh, OK, sounds pretty standard then - certification made for the sole purpose of being able to make the befriended vendors win in public tenders. I guess OPNsense rather needs the Dutch variant of the BSI certificate. ;D  :P

yes makes sense that opnsense should apply to dutch regulation. currently it looks like for critical infrastructe (where it comes to real security and not just homelab security) they will change laws, so you can only use hardware/software built in germany. at that point, opnsense would not able to use anyway for real security needs (in germany).
August 20, 2024, 11:17:09 AM #37
Quote from: dstr on August 20, 2024, 11:05:24 AM
opnsense would not able to use anyway for real security needs (in germany).

I think we already know that was your opinion from the start. No need to reiterate. :)


Cheers,
Franco
August 20, 2024, 11:53:59 AM #38
Quote from: dstr on August 20, 2024, 11:05:24 AM
they will change laws, so you can only use hardware/software built in germany.

Yeah, I can see Siemens, Deutsche Bank, Volkswagen, ... all throw out their million Euro worth of Cisco and Checkpoint gear for some "real security" ;D ::)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 06, 2025, 06:33:27 AM #39 Last Edit: January 10, 2025, 08:04:26 AM by Junkyozzo
This is an old thread, but it's fascinating how much the conversation around Common Criteria (CC) still resonates. Thanks for sharing your paper—your breakdown of CC's issues is spot on, especially regarding its implementation challenges. I remember a few years back, my team was navigating a procurement process that required CC-certified devices. It was a nightmare—lots of red tape, and the hardware we received wasn't exactly stellar. It felt like we were paying more for the certification than the actual quality.

By the way, on a related note, I recently dealt with London Apostille Services Ltd while getting some documents certified for an overseas project. They were a lifesaver—quick, professional, and reasonably priced. If only other certification processes were as seamless!
Print
Go Up Pages 1 2 3
User actions