Security Certification in the Age of Connected Cows

Eric Baize, SAFECode Chairman

Last week, I had the honor of presenting a keynote at the International Common Criteria Conference in Amsterdam. The event is the leading forum for the community of government and IT professionals involved in the policy and application of Common Criteria, which is an internationally recognized security certification scheme for information technology (IT) products.

Security certification has come back to the forefront as governments and enterprise customers seek to understand the security of the technology products they purchase and use. For those interested, SAFECode has recently shared its views on software security certification in a brief white paper, which goes into more details on the history of certification, some of the challenges it presents, and ways we can move forward.

However, I wanted to focus on broadly thinking about how certification schemes can keep pace with modern software development and deployment methods. And here is where the cow came in.

Eric Baize, chairman, SAFECode delivering the opening keynote at ICCC2018. Photo courtesy: ICCC

The definition of a computer has changed. Information technology has expanded way beyond the laptop and data center into houses, cars, factories and farms. We’ve even gone so far as to software-connect cows so that we can track their movements and detect anomalies and sick animals.

And not only are the systems we have to secure and certify very different, but the way they are deployed has drastically changed. It used to be normal operating practice for IT to take a major application offline for a few days so that it could undertake a massive new deployment of the software’s newest version. While disruptive, this was often the only way an enterprise could upgrade to take advantage of the latest features.

Contrast that with today, where many companies are adopting a continuous delivery approach to software deployment, constantly adding features and small incremental changes with minimal end user disruption as opposed to “big bang” new releases and installs. Complex, monolithic software design has been replaced with micro services and loosely coupled components.

And while it is true that this trend started more than a decade ago with Internet service companies, it is now becoming pervasive across all types of IT systems. Customers expect this same level of support and innovation for even the most critical IT systems. As a result, software development and delivery, both the processes and architectural approaches, has fundamentally changed to support this shift to a service-oriented delivery model.

So where does this leave software security?

The magnitude of the impact of digital transformation is leading organizations to change their approach to security and adopt a greater focus on risk management. In the best case, this entails a larger emphasis on risk-driven asset identification, designed-in security, and a proactive, cohesive approach to security detection, response and recovery. All of this requires a holistic process for secure software development that can be continuously and consistently applied as software is designed, built, and implemented – even if that software is walking around on a cow.

Not only have security professionals had to change their approach, but so do the certification schemes that aim to evaluate their results. If software security is achieved primarily through a secure development process, then measuring software security needs to focus on that process. Anything else is really only providing a snapshot in time – and given the pace at which modern software is changed, that snapshot’s shelf life is much shorter than it was a decade ago.

Common Criteria may be uniquely positioned to meet the challenge. It is an international standard with built-in mutual recognition that gives it a global appeal. It is supported by a dedicated group of government and enterprise professionals, who have built a widely-accepted platform for security certification, delivering hundreds of certificates over the past 20 years and broad international recognition. I was honored to have an opportunity to exchange ideas with this group of experts and discuss opportunities for Common Criteria and other certification schemes to evolve to meet the needs of modern software design, development and delivery. I hope that SAFECode can continue to support and inform their efforts, and the efforts of others working to modernize security certification.