The growing digitalisation of our economies and societies is driving the need for increased connectivity of critical applications and infrastructures to the point where failures can lead to important disruptions and consequences to our lives. One growing source of failures for critical applications and infrastructures originates from cybersecurity threats and vulnerabilities that can be exploited in attacks. One approach to mitigating these risks is verifying that critical applications and infrastructures are sufficiently protected by certification of products and services. However, reaching sufficient assurance levels for product certification may require detailed evaluation of product properties. An important challenge for product certification is dealing with product evolution: now that critical applications and infras- tructures are connected they are being updated on a more frequent basis. To ensure continuity of certification, updates must be analysed to verify the impact on certified cybersecurity properties. Impacted properties need to be re-certified. This paper proposes a lightweight and flexible incremental certification process that can be integrated with DevSecOps practices to automate as much as possible evidence gathering and certification activities. The approach is illustrated on the Common Criteria product certification scheme and a firewall update on an automotive case study. Only the impact analysis phase of the incremental certification process is illustrated.

Incremental Common Criteria certification processes using DevSecOps practices / Dupont, Sébastien; Ginis, Guillaume; Malacario, Mirko; Porretti, Claudio; Maunero, Nicolò; Ponsard, Christophe; Massonet, Philippe. - ELETTRONICO. - (2021), pp. 12-23. (Intervento presentato al convegno 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) tenutosi a Wien (all digital event) nel September 6-10 2021 Wien (all digital event)) [10.1109/EuroSPW54576.2021.00009].

Incremental Common Criteria certification processes using DevSecOps practices

Nicolò Maunero;
2021

Abstract

The growing digitalisation of our economies and societies is driving the need for increased connectivity of critical applications and infrastructures to the point where failures can lead to important disruptions and consequences to our lives. One growing source of failures for critical applications and infrastructures originates from cybersecurity threats and vulnerabilities that can be exploited in attacks. One approach to mitigating these risks is verifying that critical applications and infrastructures are sufficiently protected by certification of products and services. However, reaching sufficient assurance levels for product certification may require detailed evaluation of product properties. An important challenge for product certification is dealing with product evolution: now that critical applications and infras- tructures are connected they are being updated on a more frequent basis. To ensure continuity of certification, updates must be analysed to verify the impact on certified cybersecurity properties. Impacted properties need to be re-certified. This paper proposes a lightweight and flexible incremental certification process that can be integrated with DevSecOps practices to automate as much as possible evidence gathering and certification activities. The approach is illustrated on the Common Criteria product certification scheme and a firewall update on an automotive case study. Only the impact analysis phase of the incremental certification process is illustrated.
File in questo prodotto:
File Dimensione Formato  
EuroSP2021_paper_44.pdf

accesso aperto

Descrizione: Manoscritto accettato
Tipologia: 2. Post-print / Author's Accepted Manuscript
Licenza: PUBBLICO - Tutti i diritti riservati
Dimensione 776.92 kB
Formato Adobe PDF
776.92 kB Adobe PDF Visualizza/Apri
Incremental_Common_Criteria_Certification_Processes_using_DevSecOps_Practices.pdf

non disponibili

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Non Pubblico - Accesso privato/ristretto
Dimensione 471.21 kB
Formato Adobe PDF
471.21 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2924232