WASHINGTON, DC—Microsoft Corp. on Wednesday clinched Common Criteria security certification from the U.S. governments National Information Assurance Partnership for six versions of its flagship Windows OS.
At the Security Summit East here, Microsoft announced that all the products earned the EAL 4 + (Evaluation Assurance Level), which is the highest level granted to a commercial product.
The products receiving CC certification include Windows XP Professional with Service Pack 2 and Windows XP Embedded with Service Pack 2. Four different versions of Windows Server 2003 also received certification.
In an interview with Ziff Davis Internet News, director of security engineering strategy at Microsoft Steve Lipner said the certifications are a significant proof point of Redmonds commitment to creating secure software.
“Not only that, but were committed to an independent outside review of the way weve secured our products,” he said.
Common Criteria certification, which was ratified as an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security, Lipner said.
He said government agencies, financial institutions and other sensitive market segments are very aware of CC certifications and use it to guide decisions on buying software.
During the certification review, Lipner said the various versions of Windows XP and Windows Server 2003 were evaluated in more than 20 real-world scenarios or “workloads” in a testing lab. It includes rigorous and exhaustive testing at the source-code level to determine certifications, he explained.
Critics of Common Criteria certification say the ratings are not a true reflection of the secure nature of a product in general purpose situations because it does not take every general-purpose situation into account.
However, Lipner noted that the evaluation looks at things like security features, user authentication and authorization, access control mechanisms, auditing, firewall functions and encryption.
In Microsofts case, he said the EAL 4 + rating complements the companys mandatory SDL (Security Development Lifecycle), which outlines the “cradle to grave” procedures used for software creation at Microsoft.
“This is really a validation of the security features and functions in the products. When combined with the SDL, it will give customers an additional level of confidence in our commitment to security,” Lipner added.