The (Not So) Common Criteria Certification
It seems like every day now we see news about new cyber attacks, security breaches of high profile companies, and steadily rising growth of awareness of security concerns. It only makes sense then that customers of IT solution vendors should demand more in terms of security assurances around the software and products they use. We see these requirements come up on RFI/RFP type documents, but often they are not fully vetted or audited until post-deployment. We have seen more requirements creeping up as well around standards such as FedRAMP, ISO 27001, etc., but often these are focused solely on cloud-based and shared service type deployments, and are only post-deployment type certifications, which can be adhered to with bolted-on security after issue discovery. There is an inherit flaw in this type of post-deployment adherence type logic. Products should not just be customize-able to hit security targets and should not only be focused on being vulnerability-free. Products should be desi