A Quantitative Analysis of Common Criteria Certification Practice Samuel Paul Kaluvuri 1,2,3 , Michele Bezzi 1 , and Yves Roudier 2 1 SAP Labs France 2 Eurecom Institute 3 Eindhoven University of Technology Abstract. The Common Criteria (CC) certification framework defines a widely recognized, multi-domain certification scheme that aims to pro- vide security assurances about IT products to consumers. However, the CC scheme does not prescribe a monitoring scheme for the CC practice, raising concerns about the quality of the security assurance provided by the certification and questions on its usefulness. In this paper, we present a critical analysis of the CC practice that concretely exposes the limitations of current approaches and provide directions to improve the practice. 1 Introduction With increasing number of cyber attacks and security issues, governmental orga- nizations and private companies are striving to get security assurance for Infor- mation Technology (IT) products. In many cases, these organizations may not have the required knowledge or resources to assess whether a certain product has the appropriate security features nor can they rely only on the statements of ven- dors. This is due to the trust deficit that exists between consumers and product vendors. One way to bridge this trust deficit is through security certification of software. Security certification provide a practical solution to address the lack of security assurance when assessing and purchasing IT solutions. The Certification Authorities (CA) perform rigorous security assessments that a particular soft- ware system has certain security features, conforms to specified requirements, and behaves as expected [7]. A customer buying a certified product can rely on the “stamp of approval” by the CA. Clearly, the value of a certification depends on the reputation of the certification authority issuing it, as well as the quality of assessment performed. Ideally, software purchasers can then choose among different certified products which address common security requirements. Common Criteria for Information Technology Security Evaluation (CC)(ISO / IEC 15408) [2] is the most popular security certification standard. It is a glob- ally recognized set of guidelines that provides a common framework for specifi- cation and evaluation of security features and capabilities of IT products. At the heart of the CC scheme lies a “common” set of security functional and security assurance requirements. These common requirements enable potential consumers