Solaris 11 Common Criteria Evaluation

Oracle Solaris 11 is now "In Evaluation" for Common Criteria at EAL4+.  The protection profile is OSPP with the following extended packages: AM - Advanced Management  EIA - Extended Identification and Authentication, LS - Label Security, VIRT - Virtualization.  For information on other Oracle products that are evaluated under Common Criteria or FIPS 140 please see the general Oracle Security Evalutions page.

Please email seceval_us@oracle.com for all inquiries regarding Oracle security evaluations, I can't answer questions about the content of the evaluation on this blog or directly by email to me.

Comments:

Thanks for posting this; good to know. I haven't seen OSPP before; hopefully after the issues with MRPP and HRPP things have now settled down at Common Criteria org, and OSPP is a worthy successor to CAPP, RBACPP and LSPP. I can see a downside with all the details being bundled into one PP, though; people will now need to inquire even more closely about claims being made and tested, rather than just looking at what PPs are in a certification.

It's also worth knowing, though, that there's been a bit of a change in the opinions of The Powers That Be; I was at a conference the other week where a speaker from Such An Organisation said "CC / CAPS / etc doesn't remove one's need to think, and is no statement against vulnerability to future exploits", and therefore "uncertified products are fine, just test the hell out of them regularly as part of your maintenance schedule".

He also said that a vendor's commitment to address issues in a timely fashion as they are found is important, so it looks like the UK is wising-up to there being value behind the "+" in "EAL4+", which has until now has been considered US-specific.

This said, it'll probably take a while for everyone who currently exists on CC-certified products to re-examine and update their security policies; some may well decide to stick with CC-certified products owing to risk appetite or financial considerations when it comes to the feasibility of regular aggressive pen-testing.

Posted by Dave Walker on February 21, 2012 at 01:47 PM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

DarrenMoffat

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today