PP v/s EAL: Where Does Security Assurance Reside? (M22b)
Over the last few years Common Criteria has gone through a major change, some would say an upheaval. With the move to PP/cPP based exact conformance paradigm, two distinct schools of thought have emerged. In one camp there are the traditionalist who believe PP/cPP based exact conformance approach reduces the security assurance by making all products meet the lowest common denominator. On the other side, the PP/cPP enthusiasts believe their approach is pragmatic given the complexity of modern ICT products. In their view EAL based approach creates an arms race where true security assurance is compromised. This presentation will attempt to compare two evaluations of similar products where one product has been evaluated using a PP/cPP and the other using the EAL approach. Various security assurance attributes will be defined and each evaluation will be provided a score on a per attribute basis. Additionally a bit of qualitative analysis will be performed as well. The outcome will be data driven and the speakers hope to get a better grasp on where greater security assurance is really gained – PP/cPP or EAL.