High Assurance Products in IT Security

Abstract

Corporate decisions concerning the purchase of security software and hardware appliances are often made based simply on the recommendations of the technical staff, the budget process (return on investment arguments), and/or a sales presentation and assertions. This chapter addresses the notion of trusted products and assurance in those products (i.e., confidence in the correct operation of a product) and how assurance is gained through independent review and testing. Early attempts to measure assurance in trusted products are described (some products today still refer to these procedures). Modern approaches to measuring assurance will be discussed in the context of ISO Standard 15408 (the Common Criteria (CC)). Current U.S. federal government policy concerning the use of evaluated products is presented, as well as a discussion of why industrial organizations may wish to consider such products.