A few weeks back JBoss Enterprise App. Platform 4.3 achieved Common Criteria Certification at Evaluation Assurance Level (EAL) 2+ – here’s the press release and here’s the evaluators updated page.
Common Criteria Evaluation is an internationally recognized standard that defines a framework for computer systems users to specify security requirements; for vendors to implement them and for third-party evaluators to test them. The Evaluation process ensures that this is all carried out in a consistent, formalized and standard way.
The Evaluation Assurance Level (EAL) describes the “depth and rigour” of the evaluation not necessarily the security hardness. Though products certified at Level 7 (the highest) are likely to be deployed more demanding and secure environments than a product certified at Level 1 (the lowest). EAL 2+ means the products have been evaluated in collaboration with the vendor (eg. to provide development, design and test documentation).
What this means is that customers who care about security (who doesn’t ?) can be assured that JBoss Enterprise App. Platform 4.3 will meet commonly accepted, best practice security requirements. Even outside military and government use, who use Common Criteria as a benchmark, this evaluation should demonstrate Red Hat’s commitment to security. It’s a long and fairly involved process and the costs aren’t insignificant.
This is the first successful evaluation for a JBoss product but the JBoss Data Services Platform is currently in process and we’re already planning for a more stringent evaluation (higher EAL) for JBoss EAP 5.x.