Introduction

Technology advancement has indeed caused a significant business growth.

Business leaders are well aware of the importance of Artificial Intelligence, Big Data analysis, automation and system integrated management in their daily operations to expand their business to the next level. Statistics have shown that there’s an average of 6,140 mobile apps were released through Google Store every day. We are more reliant on technology than ever before which has improved our quality of life on a daily basis.

This also means that there is always a new “opportunity” for hackers to exploit loopholes to take advantage. The hackers will not re-invent the wheel but they will go for the common types of hacking techniques that are proven to be highly effective; phishing, malware, SQL injection attack, cross-site scripting (XSS), denial of service (DoS) and many more. Cybercrime is now a lucrative industry where it’s estimated to be generating $1.5 trillion profit in 2018.

It’s important for organizations to understand how the attacks occur in order to take preventive measures to protect their businesses.

Common Criteria for Developers

Common criteria is an international standard to evaluate systems and products incorporating the security functionality.

The following common criteria evaluations are taken from Wikipedia:

  • Target of Evaluation (TOE) – the product or system that is the subject of the evaluation. The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target’s security features. This is done through the following:
    • Protection Profile (PP) – a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cards used to provide digital signatures, or network firewalls) relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product’s ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target’s ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements.
    • Security Target (ST) – the document that identifies the security properties of the target of evaluation. The ST may claim conformance with one or more PPs. The TOE is evaluated against the SFRs (Security Functional Requirements. Again, see below) established in its ST, no more and no less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a database management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation.
    • Security Functional Requirements (SFRs) – specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalogue of such functions. For example, a SFR may state how a user acting a particular role might be authenticated. The list of SFRs can vary from one evaluation to the next, even if two targets are the same type of product. Although Common Criteria does not prescribe any SFRs to be included in an ST, it identifies dependencies where the correct operation of one function (such as the ability to limit access according to roles) is dependent on another (such as the ability to identify individual roles).

The evaluation process also tries to establish the level of confidence that may be placed in the product’s security features through quality assurance processes:

  • Security Assurance Requirements (SARs) – descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the ST and PP, respectively.
  • Evaluation Assurance Level (EAL) – the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic (and therefore cheapest to implement and evaluate) and EAL 7 being the most stringent (and most expensive). Normally, an ST or PP author will not select assurance requirements individually but choose one of these packages, possibly ‘augmenting’ requirements in a few areas with requirements from a higher level. Higher EALs do not necessarily imply “better security”, they only mean that the claimed security assurance of the TOE has been more extensively verified.

Summary

In the common Software Development Lifecycle (SDLC), the security testing is being evaluated at a much later phase after the software has been developed. In a more recent discovery, it has found that software vulnerabilities appear during the design and implementation phases. Based on the best practice methodology of common criteria, security testing should be integrated in the pre, current and post phases in the SDLC.

Based on this Journal, vulnerability in a software is defined as follows:

In  addition  to poor  secure  software  development  methodologies,  exponential  increase  in  the internet enabled applications, unconscious internet users and hackers caused new problems. One of  the  most  important  of  these  problems  is  software  vulnerabilities  used  by  hackers  and unconscious users. Vulnerabilities are weaknesses in software that allow hackers to compromise the integrity, availability or confidentiality of processed data or that software. Some of the most severe  vulnerabilities  allow  hackers  to  run  malicious  code,  potentially  compromising the computer, its software, and the data that resides on the computer.

Various  sources  including  software  vendors,  security  software  vendors,  independent  security researchers,  and  those  who  create  malicious  software  can  cause  disclosure  of  vulnerability.

“In addition to poor secure software development methodologies, exponential increase in the internet enabled applications, unconscious internet users and hackers caused new problems. One of the most important of these problems is software vulnerabilities used by hackers and unconscious users. Vulnerabilities are weaknesses in software that allow hackers to compromise the integrity, availability or confidentiality of processed data or that software. Some of the most severe vulnerabilities allow hackers to run malicious code, potentially compromising the computer, its software, and the data that resides on the computer. Various sources including software vendors, security software vendors, independent security researchers, and those who create malicious software can cause disclosure of vulnerability.”

It’s essential to a business’ success to be aware of the latest cybersecurity threats and take extra precaution steps to minimize the vulnerabilities to further prevent intrusions which will compromise the organization’s vital data.

Securelytics has a broad range of skills and expertise to help our clients navigate the evaluation process effectively. Click here to learn more on how to make your business secure and stable for future growth.