COMMON CRITERIA) TSEK 194, TS ISO/IEC 40500 Guidelines on Web Content So, Performing Penetration and Security Tests Become Indispensable for Applications

TURKISH STANDARDS INSTITUTION

INFORMATION TECHNOLOGY

and CYBER SECURITY

CERTIFICATION SERVICES

TSE [email protected] - [email protected] CRYPTO Necatibey Cad. No: 112 Bakanlýklar - ANKARA / TURKEY www.tse.org.tr

• Determine that application meets the needs or not • Provide the application’s intelligibility • Provide the application’s correctness, security and effectiveness during it runs • Check the system whether it works properly to system requirements or not. 3. Penetration and Security Testing

With the improvement in internet technologies, People are used to use internet for such

important services to internet, the potential for crime in real life increasingly moves to this important operations like banking and official procedure. In consequence of moving these TURKISH STANDARDS INSTITUTION new virtual world. That’s why, security of internet has become crucial and indispensable. To provide security of internet, legal regulations related to cyber-crimes are prepared. INFORMATION TECHNOLOGY and CYBER SECURITY CERTIFICATION SERVICES 1 Laws Within the Scope of Cyber Crimes Law No. 5237: 5237.243: Penetration to cyber system in violation of the law and continue to stay in 5237.244: Prevention of operation, breaking down of cyber system or destroying, manipulation, making inaccessible of data or data placement to system or sending data in TSE system to somewhere else or taking advantage in violation of the law using cyber system. TS 13298 TS EN ISO 9241-151 Ergonomics of 5237.235: Abuse of bank and credit card. TS ISO/IEC 15408 human-system interaction - Part IT - Electronic records Law No. 5651 regulates substantive and procedural related struggling over hosting and IT - Security techniques - 151: Guidance on World Wide Web Evaluation criteria for IT security - management user interfaces (COMMON CRITERIA) TSEK 194, TS ISO/IEC 40500 Guidelines on Web Content So, Performing penetration and security tests become indispensable for applications. domain providers. But that kind of legal regulations are not enough to resolving problems.

Security Evaluation/Tests

CRYPTO information are some reasons of negligence of the Shortage of time, lack of awareness, insufficiency of TS ISO/IEC 19790-24759 TS ISO/IEC 25051 security evaluations. TS ISO/IEC 15504 IT — Security techniques – IT - software packages-quality IT – Process Capability Security Requirements for requirements and testing 12 Determination – SPICE Cryptographic Modules and Organizational Maturity Test Requirements for • Security evaluation and security development are Cryptographic Modules this. In the CC process; both security functions’ tests different things. CC process is the best example of (ATE) and impassibility of the security archit ecture

and security evaluation should be pieces of the (AVA) are evaluated. Both security development application development process.

Site Security Certification security evaluation should be planned, programmed and organized and exactly targeted. First Level Security Certification QWEB Certification • While security evaluation is done in limited time attack surface is nearly limitless. Thus,

• Security evaluations should be repeated periodically. Because application may contain modifications and there are always new attack methods. • The most crucial phase of the security evaluation is the reporting of the evaluation. repeated properly. Findings and evidences which are identified during evaluation should be targeted and Part 1 BS 7925-1

TSE Definitions & Vocabulary

Part 4 Part 2 Part 3 TS ISO IEC 15408 Test Test INFORMATİON TECHNOLOGY - SECURITY TECHNIQUES - Techniques

EVALUATION CRITERIA FOR IT SECURITY - Documentation

IT PRODUCTS SECURITY BS 7925-2 BS 7925-2 IEEE 829

(COMMON CRITERIA) IEEE 1008

Common Criteria Information technology -- Security determining applications‘ performance levels under regular circumstances. The questions 11 techniques -- Evaluation criteria for IT security (ISO that Performance testing intents to answer; 15408) is the security standard which has been developed to identify product and/or systems security • Does it meet with system requirements? levels of Common Criteria information Technologies • How does system work under regular circumstances? and to test independent laboratories, based on TCSEC • How does increments in system data traffic affect functionality and operation time? and ITSEC standards and is accepted by International • In which user level does performance problems occur? Organization For Standardization (ISO) in 1999 In general, Performance testing process likes; • Which component of the system causes decrement in performance levels? International Information Technologies Security Evaluation Standard. • Determining structure of the system to be tested Turkish Standards Institution in the name of Turkey • Determining normal and maximum load levels • Creating scenarios and virtual users countries by signing in September 2003 Common has accepted evaluations of certificate producer • Selecting test tool to be used Criteria Recognition Agreement signed by countries • Running the test which accept this Standard and has implemented • Analysis and interpretation of test results 2. Functional testing

Common Criteria Certification Scheme which is 2 Functional testing is the test which looks at an established at Common Criteria Certification Scheme application’s functions whether they’re working (CCCS) within TSE Product Certification Center. CCCS CCRA on April 2010. properly. It refers to user’s requests whether had a Shadow Certification by an Audit Group from they meet the application. It illustrates the user’s Turkish Standards Institution as National Common moves and tries to be ensure that process ways are IT products which have taken CC certificates from working properly and requests are appropriate. of licensed TSE independent test laboratory, are There are input sets and expected output sets Criteria Certification Body according to the results

to determine threats and in appliance of these criteria Outputs from tests and pass/fail criteria are obtaining safeguards in efficiency of security criteria proper the requirements that identified formerly. rightly on product. considered and one decide upon these whether TS ISO IEC 15408 standard has 3 parts, Part1, Part2,and Part 3. application pas the test or not. Also there are 7 Evaluation Assurance Levels (EAL) as assurance increases proportional to Purpose of the Functional testing; increasing EAL numbers. International Standard provides for four increasing, qualitative levels of security requirements intended to cover a wide range of potential applications and environments. The security requirements cover areas relative to the design and implementation of a cryptographic module. These areas include: TS ISO IEC 15504 SPICE INFORMATION TECHNOLOGY — • cryptographic module specification; PROCESS ASSESSMENT • cryptographic module ports and interfaces; SOFTWARE PROCESS IMPROVEMENT • roles, services, and authentication; AND CAPABILITY DETERMINATION • finite state model; • physical security; • operational environment; • cryptographic key management; Turkish Standards Institution, with its task awareness about creating and generalizing 3 • self-tests; • design assurance; functions to Turkey with an expert team which has licence named “International SPICE standards, has brougth TS ISO IEC 15504/SPICE trading, assessment and certification • mitigation of other attacks. This standard defines 4 security levels. The module can claim conformity one of these levels Certification Body” ,and so has taken very important step to grow up the term of “Software depending on its security requirements. The first level requires basic security requirements. all of the security requirements in the standard. Quality” in Turkey.Also TSE has started to do SPICE assesments and give certificates On the other hand if the module takes fourth security level certificate, this module meets the The goal of SPICE model TSE conducts CAVP(Cryptographic Algorithm Validation Program) and CMVP(Cryptographic is to provide a common Module Validation Program). If the vendor wants to apply CMVP, its module has to include at least one validated cryptographic algorithm. Otherwise, it has to apply CAVP. software evaluating principle for different models and methods. Thereby, the results of Evaluation system is similar Common Criteria Evaluation System. There are three different evalutions may be able to used as a guidance document by laboratory and vendor. In this aspect, this standard is similar groups. These are Certification Body, Evaluator and Vendor. TS ISO/IEC 24759 standart is be reported in a common to Common Evaluation Methodology. language.

TSE-CMVP: Cryptographic Module Validation Program The reference model TSE-CAVP: Cryptographic Algorithm Validation Program 10 describes the required essential targets of software engineering at SOFTWARE TESTING LABORATORY the upper level and is applied to all software companies which wants to purvey, develop,

ISO/IEC 29119 software testing standard, that will lead software testings, is preparing based operate, improve a software and aims to create sufficiency to support a software. contains these parts: on the standards IEE 829, IEEE 1008, BS 7925-1/-2 and IEEE 1028. The draft of standard The model does not base on a specific organisation structure, management philosophy,

software life-cycle, software technology or a specific development methodology. 1. Performance testing gerekmektedir.

Performance testing is the measurement of system’s performance when system is under load and assurance of expected system performance. Performance testing aims working out the bottlenecks of the system overload via such systems like code and database while TS 13298 ELECTRONIC DOCUMENT MANAGEMENT • Qweb is the IQNet system for the certification of e-business activities world-wide

are: Major benefits for companies or consumers using services and buying goods on the internet

• The site is reliable and legally registered Management. This Standard includes items below in order to detect required standards • the e-business service is of the best quality TSE also performs service at certification of Standard of TS 13298 Electronic Document for protection of properties of produced or producable electronic documents into • the selling conditions and delivery terms are clear and true organisations: • security and privacy are applied for the treatment of personal and financial data • customer’s complaints are taken into consideration and appropriately dealt with • consumers may recur to out-of-court dispute settlement. • Required system components TS EN ISO 9241-151 for Electronic Document ERGONOMICS OF HUMAN-SYSTEM INTERACTION - 9 Management System (EDMS) management techniques and GUIDANCE ON WORLD WIDE WEB USER INTERFACES • Required document It is widely accepted that usability is a key factor in successful website design but until now applications for EDMS management of electronic • Necessities that enables World Wide Web (WWW or Web) user interfaces. documents there has been no internationally agreed standard that specifically addressed the usability of

This part of ISO 9241 provides guidance on the human-centred design of software Web user maintaining management • Necessities that enables interfaces with the aim of increasing usability. Web user interfaces address either all Internet functions of non-electronic documents in electronic environment. users or closed user groups such as the members of an organization, customers and/or

• Diplomatic properties of electronic documents which are mandatory in this part of ISO 9241 focus on the following aspects of the design of Web user interfaces: suppliers of a company or other specific communities of users. The recommendations given • Precautions that ensure the judicial legality of electronic documents - high-level design decisions and design strategy; • Completing required system infrastructures to use electronic signature and stamp - content design; TS ISO IEC 25051 - navigation and search; INFORMATION TECHNOLOGIES - content presentation. 4 SOFTWARE PRODUCT QUALITY CERTIFICATION TS ISO IEC 19790 AND TS ISO IEC 24759 (EQUİVALENT TO FIPS 140-2,3) This Standard is able to be applied on software products like text processors, spreadsheets, INFORMATION TECHNOLOGY - SECURITY TSE also performs service at certification of Standard of Software Product Quality Certification. CRYPTO TECHNIQUES SECURITY REQUIREMENTS FOR database programs, graphic products and programs about technical or scientific functions. TS ISO IEC 25051; CRYPTOGRAPHIC MODULES AND TEST Consists of REQUIREMENTS FOR CRYPTOGRAPHIC MODULES In Information Technology there is an ever-increasing need to use cryptographic mechanisms such as the protection of data against unauthorised disclosure or manipulation, for entity • Properties of software products (quality properties) authentication and for nonrepudiation. The security and reliability of such mechanisms • Guidance that shows how this software product is tested. are directly dependent on the cryptographic modules in which they are implemented. This

Does not include the processes of production of software products. WEB CONTENT ACCESSIBI- QWEB CERTIFICATION LITY GUIDELINES TSEK 194 - ISO/IEC 40500:2012 Rapid changes in Information Technologies,

adapting their skills for new conditions by developing and using new methods and technics. effects human life, but not only humans also companies those provides public service are range of recommendations for making Web content more accessible. Following these guideli- E-business activities are increasing day by day in case of transparency, accountability, Web Content Accessibility Guidelines (WCAG) TSEK 194 - ISO/IEC 40500:2012 covers a wide openness, improvement of service quality, reducing waste of time and resources. nes will make content accessible to a wider range of people with disabilities, including blind- ness and low vision, deafness and hearing loss, learning disabilities, cognitive limitations, e-Commerce limited movement, speech disabilities, photosensitivity and combinations of these. Following these guidelines will also often make your Web content more usable to users in general. transaction is the sale or purchase of goods As defined by OECD An e-commerce 5 or services, conducted over computer WCAG - TSEK 194 success criteria are written as testable statements that are not technology- for the purpose of receiving or placing of general information about interpreting the success criteria, is provided in separate docu- networks by methods specifically designed specific. Guidance about satisfying the success criteria in specific technologies, as well as orders, e-commerce concept is interested ments. by private sector recent years. Most of companies are marketting and selling their - peration with individuals and organizations around the world, with a goal of proving a single products and services on ineternet. Web Content Accessibility Guidelines (WCAG) is developed through the W3C process in coo Some transactions are widely running shared standard for web content accessibility that meets the needs of individuals, organiza- online like; buyers’ investigetion before tions, and governments internationally.

delivery procedures, after sale maintenance, support. Increasing number of e-business buying, companies’s meetings and deals, payment transactions, fulfillment of liabilities, WCAG is primarily intended for: • Web content developers (page authors, site designers, etc.) and e-commerce acivities are bringing need of standards and certification. By Qwebmark • Web authoring tool developers certification trustability, quality of service, security level and transparency will go higher. • Web accessibility evaluation tool developers Qweb Mark • Others who want or need a standard for web accessibility makers, managers, researchers, and others. Related resources are intended to meet the needs of many different people, including policy electronic business. Also ensuring security and privacy for the treatment of personal and 8 The purpose of the Qweb certification scheme is to develop and raise trust & confidence in

companies towards quality and security with increasing attention to customer’s needs financial data. Qweb is the e-business certification system that allows for a real growth of

Advantages

Major benefits for companies offering goods, services and information on the Internet are:

• the e-business activity conforms to the best available standards • with a mouse click the certification is validated and information are given about • the company, the certification body and the activity which is carried out. • priority is given to the customer’s expectations • the e-business activity is secure, reliable and customer-friendly • the company can rely upon the customer’s confidence as a competitive advantage FIRST LEVEL SECURITY CERTIFICATION SITE SECURITY CERTIFICATION

One of the parts of the IT products’s security is the security of the environment on which they One of the major subject in cyber technologies is 1st Level Security Certification. 1st Level developed. Security of the environment on which product developed is ensured with Site Se- security evaluation. Security Certification is a security evaluation programme that aims a simple, fast and effective

curity Certification Programme. Thanks to this certification, “CC certification without TOE” Participants in the 1st Level Security Certification process are: and “the reuse of the ‘Site Security Certification’ at the TOE evaluation” are provided in order • the sponsor; to verify that predefined environment meets with the CC requirements related to ALC class. • the evaluation facility; The purpose is the saving at the time and the cost. The scope of this certification program is • the certification body within ANSSI; 7 defined below; • optionally the developers of the product submitted for evaluation. • Definition of the evaluation of the environments on which products are subject to Common Criteria Certification are developed, and yet processes, criterias and metodologies The Certification Body draws up the procedures, forms, guides, etc., that allow the 1st Level about the certification. Security Certification to be implemented, elaborates the criteria and general methods of - • To make the evaluation/certification of the environment without any TOE modularly evaluation for 1st Level Security Certification and licenses evaluation facilities that satisfy duct evaluation • Results of the certification process can be used at a succeeding Common Criteria pro the criteria listed in the licensing procedure of the certification body. The evaluation facility is licensed by TSE (Certification Body) only for the technical areas in • Provide of reusable evaluations about the ALC which it has proved to hold sufficient expertise. The evaluation facility evaluates the product Site Security Certification consists of 3 basic procedures defined below; by its technical experts and reports findings to Certification body. • Site Security Certification Procedure: Includes all mandatory phases in order to issue First Level Security criteria defines minimum security requirements that a product or system the “Site Security Certification” to a development environment or a part of it. should has. A product evaluation should verify that product provide security specifications contains no vulnerability in evaluation. • Integration Procedure: Defines the procedure of the usage for merging all certified stated in security target and all security functions reach “base” level strength at least and Evaluation has two basic targets: and/or uncertified parts of a lifecycle to make a bigger asset. • Procedure of the Integration of the Site Security Certifications: Provide reusability of the certified ALC materials for a defined TOE evaluation • To identify the suitability of security specification of product. Evaluation has two additional target if basic security functions of the product is performed • To determine effectiveness of security functions that is served by the product took part of various products’ development and use these evaluation results to simplify the by crypto mechanisms: 6 In brief, Site Security Certification is the security certification of the environments which

are performed suitable to test requirement for TS ISO/IEC 24759 Crypto module, Crypto differenet TOE evaluation processes in terms of the time and the cost. In scope of Crypto Module/Algorithm Verification Programme of TSE, in the tests that mechanisms of product:

• To identify the suitability of security requirements of TS ISO/IEC 19790 Crypto. • To identify these mechanisms are applied correctly by product according to Evaluation is related to items below; definitions.

• Current documentation; least known • General Vulnerability Databases of the vulnerabilities which should be tested or at

environment • The Product itself that set up on a test platform represents the predicted usage