You've probably heard of security certificates (Common Criteria, FIPS) – they are supposed to certify our software/hardware is secure. But how many products are certified? How long does the certification take? Which provider is the best? What does our competition do? You'd be surprised, but even the engineers in compliance don't know! The single comprehensive database with metadata... well... did not exist :-/.

The talk will introduce sec-certs, a tool for semi-automated analysis of the certificate dataset. It is created by automatically downloading and processing all available metadata and PDFs and cross-referencing them together. This enables to gain data-backed business insights on the certificates, labs, processes and the whole certification ecosystem that were not previously available. And it's all open source as we know it: the whole dataset, tool sources and research outputs are public at sec-certs.org.

This project is a research cooperation between Red Hat, Masaryk University and Brno University of Technology, co-funded by the European Union under the CHESS project (ID 101087529).