Common Criteria (or other) Certification ≠ A Secure Product

Customers are demanding more and more security certifications. While I don't disagree with certifications I do have a problem with customers and the market equating a certification as meaning the product is secure. This is not true.

Here's an example of a just reported vulnerability (Computerworld, May 26/08):

Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Vulnerabilities

The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.

Vulnerable Products: Cisco devices running certain 12.4-based IOS releases and configured to be managed via SSH may be affected by this issue.

And, from the Common Criteria Certification's list of certified products:

Cisco IOS Firewall Version 12.3(14)T and 12.4(4)T - EAL4+ certification on 27-NOV-06
Certification report: ST_VID10038-VR.pdf
Security target: ST_VID10038-ST.pdf

...and SSH was a "security target" of the evaluation:

...the security target specifies that administration of the TOE may be conducted locally via the console port or remotely via an SSH connection to the TOE-enabled router provided an external AAA service capable of single-use mechanisms is used

QED: Security Review or Certification ≠ A Secure Product

Technorati Tags:
Cisco, security, CSCO