Cyber security certifications and challenges
How can you prove your software product is secure? Let's look at the value of various cyber security certifications.
Let’s say you are designing a software product and want to get some assurance or proof that it is secure against cyber security threats. There is a deluge of cyber security certifications available today – but which of them are relevant for software security?
There are many certificates available for individuals. Even when excluding vendor-specific certs, there are over 20 certifying organizations and well over 200 certificates for various areas of cyber security! There are fewer certifications for organizations; they mainly act as assurance that an organization can manage risk and handle security incidents according to a certain standard (e.g. NIST Cybersecurity Framework).
However, most of these certifications are for application, network and operations security: common examples are auditing, forensics, governance, incident response, security management and penetration testing. Let’s look at cyber security certifications and standards from the software security point of view, and how they can improve the security of development processes and software products.
Where is the value?
Of course, wherever standards or certifications are concerned, ISO/IEC is going to be extremely significant. In addition to several organizational standards (27001, 27002, etc.), it also has standards for evaluating the security of development processes.
ISO/IEC 21827 (Systems Security Engineering Capability Maturity Model, SSE-CMM) is a methodology describing the essential characteristics of an organization’s security engineering process by capturing practices that currently exist in the industry. As a maturity model, it is mainly useful as a self-assessment tool to gauge where the organization’s software development security process currently stands compared to the industry at large.
ISO/IEC 15408 (Common Criteria) defines a security evaluation methodology of a product. Without going into too much detail:
- The vendor defines security requirements for their product and claiming compliance with one or more generic profiles that describe a certain type of product (e.g. “operating system”)
- The vendor hires an evaluation laboratory to verify adherence to these claims at a certain level of rigor (Evaluation Assurance Level – 1 to 7).
- If the evaluation has a positive result (based on evaluating processes and documentation as well as the product itself), an appropriate authority can issue a certificate for it.
Industry-specific cyber security certifications tend to have wide recognition within that industry – in many cases, they are unavoidable, and cover safety, regulatory, and functional requirements as well as security. For instance, medical devices need to conform to – among others – ISO 13485 and EU regulation 2017/745 in order to affix the CE marking that is required for the device to be sold within the European Economic Area.
The Wild West
In many markets, however, such cyber security certifications don’t exist. Damage from security incidents can be externalized to the customers or the victims of cybercrime committed by abusing vulnerable software. In these situations, mandatory certification can force good practice even if the market doesn’t. Renowned security expert Bruce Schneier commented on the IoT regulations in California that went into power on Jan 1, 2020:
“[…] Right now, we have a market failure. Because the courts have traditionally not held software manufacturers liable for vulnerabilities, and because consumers don’t have the expertise to differentiate between a secure product and an insecure one, manufacturers have prioritized low prices, getting devices out on the market quickly and additional features over security.
But once a government steps in and imposes more stringent security regulations, companies have an incentive to meet those standards as quickly, cheaply, and effectively as possible. This means more security innovation, because now there’s a market for new ideas and new products. […]”
What cyber security certifications can and cannot do
As seen above, mandatory cyber security certification can have value in certain markets and industries. But what about everything else?
Voluntary security certification (such as Common Criteria) can provide a market advantage – note that in practice, Common Criteria is used mainly by security software and products where a higher level of security assurance is critical, as the process can be lengthy and expensive. In addition, there is no guarantee that the customers themselves are aware of what a certain assurance level means in practice – or that they are even aware of the existence of Common Criteria!
In the end, cyber security certifications for your product can give assurance that the product meets a certain security baseline – but they do not guarantee that it is free of vulnerabilities.