What is the difference between a security analyst and a security evaluator?
A security analyst focuses mostly on the technical side of the certification process. This includes conducting a vulnerability analysis on the product and focusing on specific elements and their security. A security evaluator, however, has to consider the entire picture, for example including a lot of documentation in scope.
How did you join Riscure?
I was doing a Master’s in Data Science with Cybersecurity and my thesis was about deep learning leakage assessment. Some of the papers I was reading on the subject were from Riscure. Then during one of the recruitment days, I met the team, we had a few discussions and then I sort of rolled into the company.
What is Riscure like internally?
A lot of fun. Security team is a very tight group, we help each other out, especially when someone is still learning. It excites me to work with amazing companies, but especially with amazing people. Here I discovered for myself, that it doesn’t matter too much what kind of work you do, but it matters who the people you work with are. Although Riscure is now over 20 years old, it’s still a very youthful company in its spirit. And it’s mainly because of the people who work here.
What is your view on the device security industry?
Companies continue to develop and send out to the markets products that stay there for 5 to 20 years. Sure, if the product is there for a few years, there is time to update its security in the following release. But if the product is there for 20 years, especially a world where it is crucial to keep up adversaries, it is vital to make sure the product is very secure. So it requires a lot of attention and understanding of what the product does and how it works. Furthermore, in this process developers should ensure that it is secure enough and that the most obvious holes are protected.
What impact do you or Riscure have on the device security industry?
You can see the impact on the products. We are creating a more secure world by providing advanced technical knowledge. Now that I’m working as a security evaluator, I can see how having a technical person in this role, in comparison to some other labs, is taking it a step further in the security assessment. Having the technical knowledge helps me and my colleagues to dive a level deeper in the projects’ security state and get creative with testing methods as well in order to support our customers.
What is the role of security certifications in the industry?
In many markets, if your product doesn’t have a certificate, you cannot operate and get your products to this market. However, receiving that certification is often a complex process, as a lot of work needs to be done with providing detailed information, paying for tests, while the outcome could even be that the product needs to be changed in a very integral way or even not allowed to go to the market completely. Even if the product is in the market, where it is not mandatory to have a certification, it can still be a pressure point. Receiving a certification can establish the company as a reliable brand, and can get the products to the top class of quality and prestige. So on one side, from the business and financial perspective security is an obstacle, however, it is crucial for the company’s reputation, success, and the possibility to be on the market.
What does a certification process look like?
We can divide the certification process in 3 steps:
We have to prove to the certifier as a lab that we know what the product in question is, how it was built, and what it is claiming to be. This stage involves processing lots and lots of documentation. It consists of multiple procedures which range from very formal mappings to semi-formal review procedures. After following the formal and semi-formal procedures and testing our understanding to the fullest, we move to step two.
Now that we have an image of the product, what it claims and doesn’t claim, and what assets attackers could be interested in, we are ready for step two: a test plan. Knowing what risky design moves could be and how we could test them, we propose various approaches to how we could test the product. Of course, each expert might have a different approach or idea to testing, so to eliminate the chances of some approaches being overlooked, we compile a team of multiple people with different expertise. This plan is given to the certifier with detailed explanations, and if it’s approved we start to execute the plan.
Executing the testing plan is step three. In this phase, if we manage to break it in a test phase, it’s not necessarily game over. Usually the device can be updated to patch anything we found. Another scenario would be that an attack might prove to be too difficult for a regular attacker. At Riscure we have a lot of equipment and knowledge, with added support from the developer. The fact that we, a professional lab, managed to break the device doesn’t mean a regular attacker would have such resources to hack the device. Our results are later presented to the certifier on whether the device meets the requirements and then the certifier makes the decision on the certification.
What is your favorite part of the certification process?
I have been really enjoying conducting site audits as part of the certification process. What many people don’t know is that many certifications also have requirements for development areas and processes. As the assessment lab, we are the ones to also check whether those requirements are followed. So when conducting site audits, not only it is fun to travel with your colleagues, but you also meet amazing people and see these large production companies. I also get to learn a lot during these site audits. Working at the lab you sometimes don’t know what the development process looks like inside the company, and this is exactly what you get to discover and learn, including different technical knowledge and processes.
How has the device security industry been developing?
Funnily enough, Delft used to be the cybersecurity capital of Europe, which is why Riscure and other companies like that are all located here. Around 1997 there were a few papers published that turned the industry around and basically created it. As for the current situation, we can see more and more machine learning implementations. I’m curious to see what these would mean to the certification process and documentation. Maybe it will speed up the process massively as a machine can read long texts of documentation better and faster. I also expect even more attention to certification, as the European Union and other political entities require more and more products to be certified.