DevConf.CZ

sec-certs.org - Security Certification Insights You Won't Find Anywhere Else
2024-06-14 , D0207 (capacity 90)

You've probably heard of security certificates (Common Criteria, FIPS) – they are supposed to certify our software/hardware is secure. But how many products are certified? How long does the certification take? Which provider is the best? What does our competition do? You'd be surprised, but even the engineers in compliance don't know! The single comprehensive database with metadata... well... did not exist :-/.

The talk will introduce sec-certs, a tool for semi-automated analysis of the certificate dataset. It is created by automatically downloading and processing all available metadata and PDFs and cross-referencing them together. This enables to gain data-backed business insights on the certificates, labs, processes and the whole certification ecosystem that were not previously available. And it's all open source as we know it: the whole dataset, tool sources and research outputs are public at sec-certs.org.

This project is a research cooperation between Red Hat, Masaryk University and Brno University of Technology, co-funded by the European Union under the CHESS project (ID 101087529).

See also:

A computer science and cyber security student at BUT Faculty of Information Technology and a software engineer at Red Hat working on RHEL In-place upgrades.

Jaroslav Řezník is a Principal Program Manager responsible for Red Hat’s government certifications under the Product Security Compliance team. In his 16 years at Red Hat, he has touched many different areas from very different angles, from the community work on Fedora that is still his passion to compliance with government standards like Common Criteria and FIPS.