Common Criteria… and still multiple vulnerabilities

I was just notified of multiple vulnerabilities in Check Point Secure Platform R60 . This is in no way surprising since all software have vulnerabilities, but the interesting thing is that the product is certified to Common Criteria Assurance level 4+ (EAL4+). This suits as a good example of why Common Critera and similar certifications mean squat in terms of security.

I do like one thing of the Common Critiera, and that is their choice of using the word “assurance” for describing the certification. We should treat any security investments as “an increased assurance of our resistance to security incidents”. The problem with CC is that a certified product in no way assures me that it functions as it promises (an IPS with zero-day protection is a good example, since those doesn’t exist) or that it is without flaws. The above mentioned vulnerabilities proves that.