By Steve Lipner, Executive Director, SAFECode
Last week, several of us from SAFECode made a whirlwind visit to Brussels, capital of the European Union. The EU is considering cybersecurity legislation that would create a new EU-wide security certification regime, and we thought it would be helpful to share our experience about what kinds of practices make sense for secure products and online services, and how a certification scheme can identify and encourage such practices. Over two days we spoke with about twenty people from the European Commission, the Council and the Parliament.
The proposed cybersecurity legislation anticipates voluntary certification schemes that would apply particularly to consumer devices such as Internet of Things (IoT) devices, security products, and products used in critical infrastructures. Once adopted at the EU level for specific products and services, such schemes would be valid across the EU and replace existing national schemes.
I’ve been involved with security certification schemes for products since the early 1980s and have witnessed what works and what doesn’t. The International Common Criteria (CC) is a current scheme for evaluation and certification of security products and products with security features. A benefit of CC derives from the fact that it is based on an International Standard (ISO 15408) and it allows vendors to certify in any of seventeen countries and have certification results recognized in all twenty-eight CC member countries. However CC is not well adapted to modern development and technology: It may take months or years to certify a product version while modern software and services are updated multiple times each month, or even each day. Given the continued contraction of product development cycles and life spans, certifications such as Common Criteria will not be able to serve the majority of ICT products. Furthermore, CC focuses on security features while real-world vulnerabilities usually come from design or implementation errors elsewhere in software. Finally, CC certifications are relatively expensive – a significant factor for small and medium-sized developers and online service providers.
Today, companies like SAFECode members integrate security into their development processes. They threat model their designs while the designs are being created, run code analysis tools while the code is being written or compiled, and do dynamic security testing during their pre-release testing of the product or service. They do this whether they are working on a multi-million line operating system or a twenty-line Agile update to an online service. The result is “Security by Design” – when the code is ready, the security is done.
We described modern security practices to our hosts from the EU and encouraged them to consider certification schemes that would focus on the soundness of developers’ processes and on confirming the application of those processes to delivered code. We pointed to a new ISO standard (ISO 27034) that supports such a certification framework. A security certification process based on ISO 27034 would be able to certify a product or service when it shipped or went live – not months or years afterward. It would also provide recognition beyond the EU market. Such a process could also be compatible with self-certification or self-attestation by developers – a better approach to achieving certification at scale than requiring a large number of third-party certifiers.
Our hosts from the Commission and Parliament were very interested in the approaches we described. One of the questions that several people raised had to do with the feasibility of small and medium-sized organizations applying secure development processes. We pointed out that SAFECode has released a lot of free guidance and training on secure development that is consumable by organizations large and small. We came away with a commitment to think about how SAFECode could do more to serve the needs of small organizations that seek to do secure development.
The EU legislation is still a work in progress, and we don’t know what the final result will be. But we appreciated the opportunity to talk to our hosts from the EU and are optimistic that their work will help to advance the state of security and certification for developers and users worldwide.