Mobile solutions from Microsoft and Blackberry have received the fastest common criteria security accreditations in the Department of Defence's history.
The latest Blackberry and Windows Mobile Platforms received accreditation after a record year-long assessment to meet the Defence Signals Directorate's (DSD's) Common Criteria certification.
Speaking at the 2008 ID and Access Management Summit in Sydney, DSD assistant secretary for information security Robert Campbell said the record speed was achieved because the vendors worked closely with the DSD and put their products through extensive security testing.
"Security flaws slow down evaluation because the product solutions have to be sent back to be fixed," Campbell said.
"[Vendors] should work as closely as possible with the DSD and the laboratories assessing the product to get accreditation as soon as possible."
Campbell said Microsoft and Blackberry were quick to rectify security flaws and sought technical support from the DSD.
He urged vendors to submit products only after rigorous testing and recommended submitting through the lowest appropriate accreditation level to speed-up review.
Perth-based software company Secure System achieved top secret accreditation for its Silicon Disk Encryption product and won a contract with the Department of Defence, after it redesigned the product under close guidance from the DSD.
Consumer guidelines have been added to the Common Criteria to simplify the technical target lists that explain why products have been accredited.
The guidelines show consumers which element of solutions have been accredited, since uncertified solutions can be listed under the criteria's accredited product lists by passing only one component through the evaluation process.
"A VPN and firewall can be passed and listed on the product lists by evaluating the firewall alone," Campbell said.
Wireless technology and converged communications have been added to the ACSI 33 assessment lists; however, accreditation of biometric technology has been stymied by uncertainty and flaws.
Campbell said the technology will be more suited to the common criteria list once it is better understood by the DSD.
Most of the few biometric tools assessed by separate internal methodologies were passed only after arduous security updates or entire rebuilds. A single camera iris scanner was rejected after the DSD discovered users could breach identities by tilting their heads.
Biometric products are assessed for database security, integrity of hash lists, and biometric templates.
Campbell said the DSD security manual, ACSI 33, follows principle rather than rule, and urged industry to submit recommendations for its assessment criteria.