Lassi Hippeläinen wrote:
> JAB wrote:
>> Neil Jones wrote:
>>> Thank you for replying.
>>>
>>> The system is a EAL4 system (using Common Criteria). Do I need to look
>>> for the protection profiles on the system? Are there any config files
>>> that define these protection profiles (PP)?
>>>
>>> N J
>>
>> The Security Target should be available and this would be a good
>> starting point as this should tell you how the system meets the
>> Protection Profile to which it conforms. As a little aside I wouldn't
>> hold that much faith in an CC evaluation to 'prove' that a system is
>> secure. CC is criticised for focusing to heavily on paper work and
>> process and little on actually uncovering vulnerabilities.
>
> Exactly. CC is meant to analyze the process, not the product. The CC
> doesn't include debugging. The deepest level of analysis is source code
> review.
>
> The abbreviations EAL and PP are different sides of the same coin: the
> EAL tells the amount of effort put into compliance, and the PP tells
> what the end result is trying to be compliant with. If you want to know
> something about a product, the PP is more important than the EAL.
>

If I was to be perfectly honest I would say that CC is a great idea but
that reality is that it adds almost nothing to the security of a product
as it is governed by purists that have no understanding of the
commercial world or more importantly why security vulnerabilities occur.
The sooner it is ditched in favour of an evaluation scheme that actually
concentrates on is a product secure the better. Unfortunately the CC
board seem so entrenched in their own little world so I don't expect any
changes soon.