EICAR trustworthiness strategy and minimum standard

Wednesday 4 October 11:30 - 12:30, Small talks

Sachar Paulus (EICAR)
Rainer Fahs (EICAR)
Marcel Eberling (EICAR)

1. EICAR Trustworthiness Strategy

The EICAR Trustworthiness Strategy is intended to enhance transparency in the contemporary IT security environment and its ever-evolving threats and vulnerabilities scenario, and to enable trust in the IT security products that help to create a safer environment.

The strategy encompasses the first steps towards enhancing trust and transparency in IT security products by developing minimum standards for the trustworthiness of IT security products, starting by developing minimum standards for anti-malware products and minimum requirements for testing organizations. Subsequent steps include testing, verification and certification schemes, and community building.

The minimum standards will be implemented first in a 'voluntary self-control' approach that is controlled/approved by EICAR. The 'self-declaration' process will later be complemented by a formal EICAR certification process.

The scheme began about two years ago with quite a promising start, and EICAR successfully certified AV and other IT security products as well as the first 'Trusted Lab' – AV Comparatives in Austria. We are also about to complete the 'Trusted Lab' process with Veszprog in Hungary.

Part of our strategy is a research initiative, together with the Technical University in Mannheim, to investigate options for the verifiability of trustworthiness. The status of this initiative will be presented in the second part of this briefing.

At present, after having reviewed the strategy, we have decided to take a step back, putting the product certification on hold, and placing the emphasis instead on seeking partners in industry in order to put the strategy on a broader platform and be able to discuss with partners our next steps towards formal certification and possibly verification of trusted functionality.

2. Verification of the minimum standard

There are several approaches to verifying the functional and non-functional security and trustworthiness properties of a piece of software. The OPTET project results (www.optet.eu) give a good overview of these approaches. The Common Criteria (ISO 15408) is the most prominent approach and requires a more or less formal verification of functional and non-functional security requirements. It has a number of drawbacks though – among others, that the validation is only applicable to a certain status of the software, and that it does not provide any means for checking that certain unwanted functionalities, such as backdoors or vulnerabilities, are not present in the software.

On the other hand, for example, the project 'IT Security made in Germany' aims to set requirements for a high level of trustworthiness (such as the location of research and development and the assertion of being free from backdoors), but it does not provide any means for validation. There are more approaches with a similar aim in the software security field, but until now there has been no trustworthiness standard that allows for a fast, affordable and adequate validation of trustworthiness aspects.

With the EICAR minimum standard, there is a set of requirements for (security) software that encompasses trustworthiness, security and privacy aspects. The approach chosen for validating the fulfilment of these requirements is based on observation of the software under (hopefully) realistic conditions. We will present the current state of the validation approach.

The EICAR minimum standard allows software vendors to demonstrate the trustworthiness of their solutions. Testing organizations may prepare themselves for validating the EICAR minimum standard, and users may look out for compliance with the EICAR minimum standard to benefit from a high level of trustworthiness of the software solutions (not only for security) they are looking for.



Sachar Paulus

Dr Sachar Paulus, Technical Director and board member of EICAR, is Professor of IT Security at Mannheim University of Applied Sciences, following a professorship in Security Management Brandenburg Polytechnical University. Prior to commencing his academic career, Sachar worked at SAP for eight years, where he held several leading positions in the area of security, including Chief Security Officer and SVP Product Security. In addition to his educational commitments, he runs a small consulting firm and is engaged in nonprofit organizations involved in improving information security in society.



Marcel Eberling

Marcel Eberling is a student of enterprise computing at Mannheim University of Applied Sciences, Germany. His focus is on IT security, networks and Linux. Currently working on his Bachelor thesis about 'Trustworthiness of IT-Security Software', Marcel is also a student assistant at a small Internet service provider which allows him to learn and research a lot about networks, routing and embedded devices like routers, switches and firewalls.














Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…