Evaluation model for computer security software products based on ISO/IEC 15408 Common Criteria

Main Article Content

José Alejandro Chamorro López
Francisco Pino


This article presents a model that enables software developers to evaluate their products under the ISO / IEC 15408 Common Criteria, starting with a risk analysis to several companies in Colombia, selected by the obligations to comply in the level of security law information, with an unfavorable outcome that demonstrate the need to implement the standard. From these results we developed a model, which achieves software conceptualized in a TOE (Target of evaluation) which corresponds to an ICT (Information and Communications), and evaluated according to a ST (Secure Target) Common Criteria portal officer, under the functions and required levels in order to identify shortcomings in compliance and safety recommendations for improvement.

Article Details

Original Research
Author Biographies

José Alejandro Chamorro López, Password Consulting Services, Cali

Bio Statement is available in Spanish

Francisco Pino, Grupo de I&D en Ingeniería del Software Universidad del Cauca, Popayán

Bio Statement is available in Spanish


Aceituno, V (2006). ISM3 1.0. Information security management maturity model. Barcelona, España: ISECOM. http://hades.udg.es/~xavier/downloads/White_Papers/ISM3.es.1.0.pdf

Almanza, A. (2011). Seguridad informática en Colombia: tendencias 2010-2011. Sistemas, 119, 46-73. http://www.acis.org.co/fileadmin/Revista_119/Investigacion.pdf

APM Group (2007). Welcome to the official ITIL® Website. http://www.itil-officialsite.com/
Apuestas para crecer (2008, Octubre). Revista Dinero, 312, Recuperado de: http://www.dinero.com/caratula/edicion-impresa/articulo/apuestas-para-crecer/69337

Cano, J. (2004). Inseguridad informática: un concepto dual en seguridad informática. Revista de Ingeniería (19), 40-44. http://revistaing.uniandes.edu.co/pdf/Rev19-4.pdf

Cano, J., Samudio, E., Prandini, P., Corozo, E., & Almanza, A. (2011). III Encuesta latinoamericana de seguridad de la información. ACIS, 2011 [Slides]. Recuperado de http://www.acis.org.co/fileadmin/Base_de_Conocimiento/XI_JornadaSeguridad/Presentacion_Jeimy_Cano_III_ELSI.pdf

COACT Inc. (2006). Secureinfo risk management system Version Security Target. San Antonio, TX: SecureInfo. Recuperado de http://www.commoncriteriaportal.org/labs/

Common Criteria (s.f). Licensed laboratories. Recuperado de: http://www.commoncriteriaportal.org/labs/

Common Criteria. (2000). Arrangement on the recognition of Common Criteria certificates in the field of information technology security. Recuperado de http://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf

Computer Security Institute [CSI]. (2011). 2010/2011 Computer crime and security survey. New York, NY: CSI
Dirección General para el Impulso de la Administración Electrónica. (2011). Magerit versión 2. Recuperado de http://administracionelectronica.gob.es/?_nfpb=true&_pageLabel=PAE_PG_CTT_General&langPae=es&iniciativa=184

European Network of Information Security Agency [ENISA] (2011). About Enisa. Recuperado de: http://www.enisa.europa.eu/publications/studies
Fernández, E., Moya, R., & Piattini, M. (2003). Seguridad de las tecnologías de la información: la construcción de la confianza para una sociedad conectada. Madrid, España: Aenor. ISBN 84-8143-367-5

Fraude en impuestos (2011, Noviembre 30). El Espectador.com. Recuperado de: http://www.elespectador.com/impreso/bogota/articulo-314297-fraude-impuestos

Herzog, P. (2010). OSSTMM 3 – The open source security testing methodology manual. Barcelona, España: ISECOM. http://www.isecom.org/mirror/OSSTMM.3.

Information Systems Audit and Control Association [ISACA]. (2011). Cobit framework for IT governance and control. Recuperado de http://www.isaca.org/knowledge-center/cobit/pages/overview.aspx

Instituto Colombiano de Normas Técnicas [ICONTEC] (2006). Norma técnica NTC-ISO-IEC 27001:2005, Anexo A. Bogotá, Colombia: ICONTEC.

International Organization for Standardization [ISO/IEC]. (2005a). 15408-1 Information Technology — Security techniques — Evaluation criteria for IT security part 1: Security functional requirements. Ginebra, Suiza: ISO

International Organization for Standardization [ISO/IEC]. (2005b). 15408-2 Information Technology — Security techniques — Evaluation criteria for IT security part 2: Security functional requirements. Ginebra, Suiza: ISO

International Organization for Standardization [ISO/IEC]. (2005c). 15408-3 Information Technology — Security techniques — Evaluation criteria for IT security part 3: Security assurance requirements. Ginebra, Suiza: ISO

Internet Crime Complaint Center [IC3]. (2010). Internet crime report. Richmond, VA: NWC3. http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf [Citado el 4 de Diciembre 2011

López, A., & Ruiz, J. (2005a). La serie 27000. Recuperado de http://www.iso27000.es/iso27000.html#section3b
López, A., & Ruiz, J. (2005b). ISO27000. Recuperado de: http://www.iso27000.es/iso27000.html

National Institute of Standards and Technology [NIST] (2011). Computer security division. Computer security resource center. Recuperado de http://csrc.nist.gov/
PoisAnon (2011). PoisAnon - Operation:RobinHood [Video]. Recuperado de http://www.youtube.com/watch?v=aymM8ONuQpg

SANS Institute (2011). Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines. Recuperado de http://www.sans.org/critical-security-controls/
Software Engineering Institute [SEI]. (2008). Octave. Recuperado de http://www.cert.org/octave/

SYMANTEC (2011). Descripción general de la tecnología. Recuperado de: http://www.symantec.com/es/es/about/profile/Technology.jsp

Zone-h.org (2010). Ataque a UNE. Recuperado de http://www.zone-h.org/mirror/id/10272455