For global companies — especially those in the public sector and defense industries — evaluating a software solution’s security capabilities before purchasing it can be a trying task. For many companies, secursity certification has been a nearly impenetrable jungle of national requirements, standards, and guidelines provided by regulators and IT buyers. American software might adhere to Orange Book stipulations, whereas German software might fulfill ITSEC standards. Historically, there has been no single, agreed-upon international standard to enable easy comparisons among products’ security capabilities.
To fulfill this need, the Common Criteria for Information Technology Security Evaluation, a series of international security standards, was established in the late 1990s. This internationally recognized certification procedure provides a unified set of standards that greatly simplifies the security certification process and gives customers an easy way to compare solutions’ security capabilities. The certification also provides greater visibility and allows clients to more easily compare products to find the one that best fits their needs. Recognizing the benefits that these Common Criteria standards bring to our customers (see sidebar), we at SAP have worked to earn this certification for our own solutions. We first earned the Common Criteria certification for SAP NetWeaver Application Server (SAP NetWeaver AS) 7.02 Java, support package 3, and are next pursuing the certification for the ABAP stack. We are focusing on these solutions first because SAP NetWeaver AS is the foundation for all of the newest innovations and capabilities in our SAP Business Suite applications.
After learning more about the Common Criteria certification and the rigorous processes SAP has undergone to achieve it, you’ll understand why this certification can be so helpful to customers who are looking for evidence of a solution’s security capabilities before they invest.
Common Criteria 101
Before we dive into SAP’s own work with the Common Criteria certification, let’s look at the general processes an IT vendor must undergo to become certified.
First, a company must define the security requirements that its product will fulfill. There are two ways to do this:
- Create a protection profile, which is a generic form statement of security requirements deemed necessary for a product category (such as smart cards). This profile is developed by a group or community of users and states the users’ requirements regarding security functionality and assurance.
- Define a security target. This option comes into play when no protection profile is available for a certain type of software, as is often the case for complex software solutions such as those provided by SAP. In this case, the vendor creates a security target that details the evaluation criteria that will be used in the certification process. This target is basically an agreement among the vendor, the certification authority, and the evaluation lab as to which security features the product offers, and whether those features are sufficient and appropriate.
The next step for vendors is to choose an evaluation facility. This independent, commercial lab evaluates the security target for the product, checking that the target describes in detail what the target of evaluation (TOE) is and how can it be uniquely identified, which security problems are addressed with the TOE’s security functions, and how this specification conforms to certain Common Criteria requirements. The evaluation facility then hands its findings over to the certification authority,1 which approves the target.
Then, the lab evaluates the product itself. If the evaluation lab is satisfied that the product meets all claims and requirements set forth by the security target, the lab submits the test results to the certification authority. If the certifier also approves, it issues a certification report and the Common Criteria certificate. This assures users of certified software that the software’s security functionality has been implemented properly and works as promised.
At the end of the day, a Common Criteria certification means that:
- A certified application’s security features and functions (such as its security management, authentication, authorization, and auditing/logging capabilities) are secure and are implemented securely.
- The development life cycle and process for that software is secure.
SAP Earns Its Common Criteria Certification
To better serve its customers (particularly those in the public sector and defense industries), SAP is embracing the Common Criteria certification process, first focusing on certifying SAP NetWeaver AS, as noted earlier. We’ve started with this product because it forms the security foundation for most SAP implementations, offering all of the security functionality that SAP Business Suite applications leverage. Since there is no protection profile for application servers, SAP instead provided a security target to the national certification authority in Germany (the Bundesamt für Sicherheit in der Informationstechnik, or BSI), listing the security features and functions that the certification would evaluate.
The depth and breadth of a Common Criteria certification is organized by evaluation assurance levels (EALs), which are general requirements that a product has to meet to complete the Common Criteria certification (see Figure 1). These EALs range from level 1 (designating software and hardware that has been functionally tested) to level 7 (designating software that has been formally verified, designed, and tested). This means that, for an EAL 1 certification, an evaluation lab will check whether documentation (that is, developer specifications, process descriptions, test procedures, and the like) is available and that the product has been tested. For level 7 certification, tests and reviews have to be performed with mathematical exactness and require a complete TOE. (In a Common Criteria certification scenario, the TOE is the software being tested.)
||The seven evaluation assurance levels (EALs) of the Common Criteria certification
SAP is certifying its solutions for EAL 4, the highest internationally accepted level, and the level our customers most often request. EAL 4 is also the highest level at which it is likely to be economically feasible for the vendor to retrofit an existing product line to meet the Common Criteria’s specifications. Generally, vendors only apply for certification above EAL 4 if they have a military application; in this case, internal stakeholders might require a higher level.
To achieve our EAL 4 certification, we provided an array of deep design documents to both the evaluation facility and the certification authority. Then, the evaluation lab performed selected software tests and code reviews, as well as independent vulnerability tests using its own tools and methods.
The certified solution must also meet requirements called “assurance classes,” which include:
- Development (ADV): Architecture documents, specification and design documents, and descriptions of source code implementations
- Guidance documents (AGD): Documents that help the customer set up and run the software in a secure way
- Lifecycle support (ALC): Complete descriptions of all processes related to the software production and delivery (including HR procedures, facility security, source code storage and processing, and software delivery)
- Security target evaluation (ASE): Identification of which security functionality is to be certified and how these functions respond to certain security problems
- Tests (ATE): Proof that all claims mentioned in the security target have been carefully and successfully tested
- Vulnerability assessment (AVA): Code reviews that check to see the source code was implemented according to specification; also includes software tests to check for security vulnerabilities
These classes are also subdivided into families. For the ADV class, for instance, the families are security architecture (ADV_ARC), functional specification (ADV_FSP), implementation representation (ADV_IMP), TSF internals (ADV_INT), security policy modeling (ADV_SPM), and TOE design (ADV_TDS).2
Figure 2 shows the breadth and depth of classes and families that a software vendor has to meet to achieve EAL 4. In the figure, the numbers 1 through 6 denote the required number of assurance components needed to achieve an EAL. For example, for the ADV_FSP (class: development; family: functional specification), these numbers refer to the fact that a product achieved:
- ADV_FSP.1: Basic functional specification
- ADV_FSP.2: Security-enforcing functional specification
- ADV_FSP.3: Functional specification with complete summary
- ADV_FSP.4: Complete functional specification
- ADV_FSP.5: Complete semi-formal functional specification with additional information
- ADV_FSP.6: Complete semi-formal functional specification with additional formal specification, in addition to the information required by ADV_FSP.5
So, to achieve an EAL 4 for the ADV_FSP, SAP had to prove that its solution met the “complete functional specification” requirement for that family. For certain EAL requirements, SAP even aimed above and beyond the scope of the EAL 4, thereby earning an EAL 4+ certification. SAP NetWeaver AS for Java’s certification also includes the flaw remediation family of the lifecycle management class (ALC_FLR). This shows customers that SAP has a process in place for handling any security flaws.
||To earn its EAL 4 Common Criteria certification, SAP had to meet all of the requirements outlined in the EAL 4 column of this chart; this also gives customers an easy way to see what specifications the solutions they are evaluating will meet
Now that SAP has earned the Common Criteria certification for SAP NetWeaver AS for Java, we’ll next be working to certify the solution for the ABAP stack. (We’re aiming for an EAL 4+ certification for this software, as well.) In fact, we have already started this project and have provided the BSI with a security target for SAP NetWeaver AS ABAP 7.02, support package 6.
We’re proud of having achieved this important security certification, which implies a huge investment and is proof that SAP is working according to internationally applied security requirements.
To learn more about the Common Criteria certification, visit www.commoncriteriaportal.org and https://service.sap.com/commoncriteria.
Gerlinde Zibulski (firstname.lastname@example.org) has been with SAP for more than 11 years. She brings to the table her experience in consulting, product management, executive assistance, and product strategy. Since 2001, Gerlinde has specialized in the security features and functions of SAP and is now Head of the Product Management Team for Security and Identity Management. Gerlinde holds a master’s degree in economics from the Private University Witten/Herdecke.
Regine Schimmer (email@example.com) is a Solution Manager for SAP NetWeaver Identity Management. She has several years of experience with SAP security solutions and has worked on SAP Security Product Management teams at SAP AG in Walldorf and SAP Labs in Palo Alto, California. Regine has also participated in creating security awareness campaigns. She is currently part of the rollout team for SAP NetWeaver Identity Management at SAP AG in Walldorf.
Annette Fuchs (firstname.lastname@example.org) is leading the Common Criteria certification projects at SAP. She is a Senior Product Manager in security product management with a focus on security quality and the involved processes. Annette has been working with SAP for 17 years, specializing in the field of security since 2002. She holds a BA in international management from the University of Applied Sciences for Economy and Management in Frankfurt/Main.
1 Fourteen countries have certification authorities. In Germany, the Federal Office for Information Security fills this role. For a list of participating countries and certification authorities, visit www.commoncriteriaportal.org. [back]
2 For a complete listing of the families within each assurance class, visit www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R3.pdf. [back]