Although we have an extensive library of
presentations, we prefer to adapt these or create
new ones to customize the whole course to your
situation. We appreciate the difficulty of knowing
what courses you want, so we list some repeating
As with all our services, should your needs not be listed explicitly below, please contact us, most likely we can provide you with a custom workshop.
Introduction of evaluation and certification methods (Common Criteria, FIPS-140, PCI, ...) in 1-4 hours
Want the short and simple version? Tell us how long you have and in that time we will explain to you:
The limits of product evaluations, or how to hack certified products (1-2 hours + discussion time)
Evaluation methodologies like Common Criteria play by certain rules. Hackers breaking the rules will go outside the safe boundaries of the evaluation, potentially breaking the security of the product.
This course teaches in a fun, accessible way just how to look at evaluated products and how not.
Common Criteria introduction in 2 daysThis course provides the participants with the necessary knowledge and understanding to decide whether Common Criteria is suitable for their situation. It also describes what impact a Common Criteria evaluation process will have on the product, its documentation and the processes of development and production. The course covers all aspects of the CC at the industry standard level EAL4+ from beginning to end, including protection profiles (PPs), security targets (STs), the actual evaluation and surrounding process aspects. These aspects are described from the views of
Subjects coveredThe following subjects are covered by this course:
Common Criteria for developersWe generally provide Common Criteria training in combination with consultancy activities for you as a developer, both helping you understand what is required and together with you achieving it.
These courses are adapted so that together with the consultancy, the total learning effect is optimal and has the least impact on the developer's time. As such, a general schedule is hard to give.
Common Criteria for evaluators and certifiers
Whereas many courses focus on the literal description of the requirements of the CC as how they should be read, they still leave out how an evaluator can perform the evaluation in a practical manner.
This course shows the full complexity of an EAL4 Common Criteria evaluation project. From Security Target evaluation (ASE) to the Vulnerability Analysis (AVA), the practical aspects of the evaluator tasks will be discussed, including the pitfalls leading to difficulties and the valid short-cuts reducing the efforts and complexities.
As evaluations are not stand-alone activities, the interaction with the developer and with the certifiers is also included as topics.
A typical course is 4-5 days long with after care via email for a few weeks. Course certificates will be isssued, of attendance or passing of the exam.
Common Criteria as requirements setting methodsSecurity officers, product acquirers, risk managers, law and procedure drafters, many people have the need to improve the security in the organization. Improvements of the processes are often implemented with the ISO 2700x range and similar local approaches.
Common Criteria offers an excellent method for improving the product security. The Common Criteria evaluation and certification processes already solve the difficult aspects of how to test the security quality of products, how to ensure the testing is done accurately, and how to verify the expertise of the companies doing the testing. Verification of all this is very simple: check for the CC certificate. Big organizations, including organizations in the financial, telecom, government and defense domains are finding this a very convenient and effective way to improve overall security.
All that is left, is to specify what security properties the product should show. In a workshop of a day, together we can make or select such a set of security properties (called "Protection Profile" in Common Criteria).
Selection of an existing Protection Profile is best done in a 4 to 8 hours workshop. Creation of the Protection profile is best done in an 8 hour workshop, with several days of after care via email.
Evaluation methodsCertain product types, technologies and evaluation levels require a specific evaluation approach. Many years of experience allows us to offer training in specialized evaluation methods. The below methods are commonly requested (more available on request):
Formal methodsAt high evaluation assurance levels (in Common Criteria: EAL6 and higher), formal methods are required. Formal methods use mathematical proofs to show that a product meets its requirements. The logical proof methods to use are, as the mathematicians like to say, "non-trivial" (meaning: complex).
Random number generatorsRandom number generators are notoriously hard to verify. As always, the good thing is that there are multiple standards to choose from, which is exactly the bad thing also.
Both blackbox testing and whitebox analysis of random number generators is a fascinating but complex field. Note that we are also working on a complementary tool to facilitate the testing.
Other methodology and technology?It is hard for us to list all evaluation methodology and technology we can offer training in. If you are missing one, please contact us.
|Author: Wouter Slegers - Copyright Your Creative Solutions 2009 - All rights reserved|