Certification: ENISA's view on the problems and how to fix them

On 15th April* ENISA published a report on advancing software security in the EU as part of its activities to support the EU’s cyber certification work. The report notes that as security breaches increase, it is “striking how fundamental security principles and techniques are often overlooked” when software is developed. While it is clear that security should be built into the development and maintenance process, and that certification may help achieve this, work is needed to improve the current certification landscape. In the report ENISA therefore looks at:

- the most relevant standards and approaches to software security which currently exist (such as Common Criteria, the OWASP ASVS and PCI SSC) and their shortcomings; and

- considerations for the EU’s newly established cyber security framework which may help improve security.

Issues with certification

The shortcomings identified by ENISA include:

- A lack of clear guidance: many software security related standards exist and their requirements largely overlap but there is limited co-ordination and few widely used standardised ways for assessing the security of software products.

- Quality assurance issues: issues with information asymmetry mean it is often not clear to a non-expert what a certificate or assessment report actually means for particular products. Complex supply chains exacerbate this issue. For example a product may be certified, but key elements may be out of scope of that certification.

- Sustained trust issues: current certification schemes do not maintain confidence in the security of a software product over time – newly discovered risks/vulnerabilities arise and the product may change. The certification process may also result in developers holding back security enhancing updates as significant changes to a product may lead to the loss of its certification, requiring additional investment to re-certify.

- Difficulties assessing software processes: a good software development process will minimise security risks. However, this is hard to review reliably in practice, particularly under current schemes. Some aspects (like skills and knowledge) are hard to measure and there is also a big difference between having a good process and executing it well.

Can the new EU framework drive improvements? 

ENISA lists a number of practical considerations relevant to software development and maintenance within the EU cyber security certification framework (established under the Cyber Security Act) that may help. For example:

- Developers/manufacturers of certified products and services could develop common repositories for shared security aspects of their products as well as publically disclosed vulnerabilities.

- European standards organisations and standards developing organisations should co-ordinate on priority areas and periodically communicate with the Commission.

- The EU cyber security schemes could provide:

- assurance levels that are appropriate to different risk levels - e.g. lightweight conformity assessments could support self-assessed assurance levels, which should also stop developers holding back products changes for fear of expensive re-certification costs; and

- assurances around the development process as well as the product by setting process guidelines for software development, maintenance and operation.

Please see our previous blogs for more information on the Cyber Security Act and the UK’s approach to the EU’s certification framework post Brexit.

*Note: Despite its recent publication, the report is dated November 2019.