You want what? By when?? …. Ok! (M10c)
We were already in an era where new TOEs must be on the market like clockwork: this year’s phone must be evaluated, certified, and production must have started, before the CEO launching that newest flagship phone on the annual big event. It cannot be late. We’ve entered a present where products are patched to a new certified state, in the field, even after a potential exploitation. That TOE is out there, in the doorbell, in the car, in a hundred other devices. It cannot be recalled. We’ll go into a future where showing products are certified, reduces insurance costs and liability. That product, certified or not, can hack others. It cannot be ignored. This talk will show the various currently established, almost completed and expected future approaches for maintaining the required assurance while meeting these ever demanding circumstances. From pre-compiled developer evidence, to alternative evaluator reporting, to attestation mechanisms for certification and more.