Open Source Systems Security Certification

Enabling Open Source Systems (OSS) to become an integral part of systems and devices produced by technology companies;

Inserting OSS in the critical path of complex network development and embedded products, including methodologies and tools for domain-specific OSS testing (lab code available), plus certification of security, dependability and safety properties for complex systems;

Ensuring integrated systems, including OSS, meet performance and security requirements as well as achieving the necessary certifications, according to the overall strategy of OSS usage on the part of the adopter.

The first attempt to create a standard for security certification of software dates back to 1985 with the creation of the TCSEC standard, commonly referred to as Orange Book (USDoD 1985) in the US. In the following years, the need of such a certification also emerged in other countries, leading to the creation of similar local security certification such as ITSEC in Europe (ITSEC 1991) and CTCPEC in Canada (CSE 1993). Since these certifications are totally independent from each other, the cost of certifying software at an international level was obviously high. This was one of the key factors that led to the creation of an international standard for software security certification.

Open Source Systems Security Certification discusses Security Certification Standards and establishes the need to certify open source tools and applications. This includes the international standard for the certification of IT products (software, firmware and hardware) Common Criteria (ISO/IEC 15408) (CC 2006), a certification officially adopted by the governments of 18 nations, including United States, Germany, France, UK and Italy.

Without security certification, open source tools and applications are neither secure nor trustworthy. Open Source Systems Security Certification also addresses and analyzes the urgency of security certification for security-sensible markets, such as telecommunications, government and the military through provided case studies.

Open Source Systems Security Certification is designed for professionals, consultants and companies trying to implement an OSS-aware IT governance strategy, SMEs looking for a way to attract new markets traditionally held by proprietary products (e.g., network security and operation centers, Linux-based network switching systems) or to reduce costs. OSS development communities wishing to ensure their products become part of dynamically composed complex systems will find this volume invaluable. This book is also suitable for researchers and advanced-level students in computer science.