Apple releases Common Criteria Tools 1.0 Interesting stuff, albeit of interest mostly to gov types who have severe security concerns. You get asked about this stuff (Common Criteria, trusted systems, the Rainbow series) in the CISSP exam, and if you work outside of the government you never see it again. I mean, let's face it, the average company has trouble getting all of its applications to use complex passwords that don't cross the network in cleartext, let alone having development code--that has been analyzed for covert channels--be delivered by a secured agent to a trusted facility. And of course, none of your developers have access to production systems, right?

Summary: specific versions of Mac OS X, with the Common Criteria tools installed, on specific hardware platforms, have been certified to reach a well-defined level of security. It all sounds very qualified, and it is compared to the results you used to get from Orange Book evaluation it's all very specific to certain aspects on certain systems, but that was the very problem with Orange Book: the levels it provided were too broad and generic. Common Criteria solves a lot of those issues.

The TOE (the "targets of evaluation" in CC-speak) are Apple Mac OS X v10.3.6 and Apple Mac OS X Server v10.3.6, and they got an assurance level of EAL3, specific to... ah, read the details. The assurance level means nothing out of context, and you really need to read the report to get those. A really good explanation of what the assurance levels refer to is here.

If you have or are studying for your security certification and have never actually read one of these reports, take a look at this one (see the "Validation Report) here. It gives you a pretty good idea of what some of the measurement criteria are and how the systems are analyzed. Neat "real world" implementation of what, for most people, is usually just referred to in theory.

Link  ¶ 2/18/2005 09:51:00 AM