Comparing Common Criteria's Vulnerability Analysis with SAFECode's Secure Coding Practices

Abstract: Common Criteria is today used by multiple countries and authorities, to evaluate and certify secure IT products. This process is a lengthy one, that can take upwards of eighteen months. This thesis tries to solve this problem by seeing if the vulnerability analysis part of the Common Criteria on evaluation assurance level two can be replaced, by making sure that the development of the product was performed according to secure coding practices presented by SAFECode.To reach our conclusion we applied both the vulnerability analysis of Common Criteria, and the coding standards of SAFECode on a product to see what vulnerabilities we could find. After performing both of the evaluations of the product according to each process, and analysing the results. By looking at the results from both processes we were able to see if Common Criteria and SAFECode had any connections or crossovers.We found that the vulnerabilities that the Common Criteria found would not have been present if the secure coding practices of SAFECode had been used during the development meaning SAFECode could in some way be used with common Criteria. We did not find evidence that proves that the vulnerability analysis cant be replaced, we therefore imply that the possibility to replace or supplement exists for evaluation assurance level two. More research is needed on this question to provide a guarantee, for any real world application.