Page Two

By Dennis Fisher  |  Posted 2004-04-18 Print this article Print

In a similar vein, the task force asks the government to fund research into better code-scanning tools that would help vendors find coding errors before their products make it to market.

Any major changes to the Common Criteria process could have a profound effect on the way vendors build their products because several federal agencies have begun using the evaluations as part of their purchasing process, giving certified products a leg up. In addition, if the certification eventually gains more credibility and understanding among enterprise customers, it could become a competitive advantage for vendors.

"It could become a de facto Underwriters Laboratory [Underwriters Laboratories Inc.] seal. The intention is to make assurance something that every vendor does," said Chris Klaus, chief technology officer of Internet Security Systems Inc., in Atlanta, and co-chair of the task force. "People can always ask for more, but you have to start somewhere. The vendors want this to be widespread."

"I think an industry standard for security is long overdue," said Patrick Flannigan, IT administrator at CFS Mortgage Corp., in Phoenix. "Id relate it to the UL seal of approval on electrical appliances. I wouldnt buy one without it. [The government and vendors should] publicize it so that IT folks and the general public are aware of it. That acceptance would motivate manufacturers to ensure [products] meet as high a standard as possible, raising the overall average level of security in computing."

The task force also wants NIAP to make the evaluation process more accessible and easier to complete so that smaller vendors with fewer resources can take advantage of it. One major problem with the testing process is the relatively small number of labs that are certified to do Common Criteria evaluations.

"It takes too long and costs too much money, but NIST doesnt have the money for any more labs," said Oracles Davidson. "There needs to be some more allocated for that."

Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel