AQL

INFORMATION TECHNOLOGY SECURITY EVALUATION FACILITY (ITSEF)

 

Version Franšaise Franšais

OUR APPROACH TO SECURITY

OUR APPROACH TO EVALUATION

DEDICATED TO YOUR PROJECTS

THE FULFILMENT OF YOUR REQUIREMENTS

AN ADVANCED APPROACH TO SERVE YOU

AN ADEQUATE ORGANIZATION

IN ORDER TO MEET YOUR NEEDS

SOME OF OUR ACHIEVEMENTS


OUR APPROACH TO SECURITY

Since its foundation, Alliance Qualité Logiciel has been grounded on the conviction that applying a quality assurance process to software development naturally improves confidence in the implemented product.

AQLs involvement in the field of security is motivated by this conviction. A technical security policy has to lead the development and the evaluation of an IT product or system. This policy, scheduled as soon as the statement of needs, has to be carried out and its thorough application verified at each stage of the development process, and even on the operational sites. In this way, confidence is gained in the product or system through a suitable approach fitting the requirements and constraints of each project. AQLs Information Technology Security Evaluation Facility (ITSEF) is fully involved in this approach.

OUR APPROACH TO EVALUATION

For AQLs ITSEF, the evaluation is a partnership which intends to improve the security of Information Technology products or systems and to develop security assurance, attested by the attribution of a certificate.

This partnership, key point for successful evaluation, starts with the preparation for the evaluation. Already at this stage, we specify together all the evaluation parameters in order to define the best assurance/cost ratio and the actions to be performed in order to reach this objective.

Information interchange on a regular basis between the developers and the evaluators teams is essential all along the project progress. First of all, because it enables to anticipate some tasks and to ensure at the same time the shortest delay. Finally, because the detection of vulnerabilities in the early stages of any development, results in the elaboration of lower cost solutions.

DEDICATED TO YOUR PROJECTS

Whatever your needs are :

  • training,

  • consulting,

  • expertise,

  • feasibility study,

  • evaluation at level E1 to E6,

with the referential of your choice :

  •   ITSEC (Information Technology Security Evaluation Criteria),
  • Common Criteria,

in your technical field :

  • smart card,
  • telecommunications,
  • database systems,
  • access control,
  • specific application,
  • etc.

With AQLs Evaluation Facility, we commit ourselves on your side to the success of your projects

THE FULFILMENT OF YOUR REQUIREMENTS

AQLs Evaluation Facility members commit themselves to achieve an evaluation fulfilling your requirements. They especially commit themselves to preserve the confidentiality of the information passed on to them.

The recognition of AQLs Evaluation Facility by the SCSSI (Service Central de la Sécurité des Systèmes dInformation) is the guaranty of its ability to assure the confidentiality of your project relevant data. AQLs Facility evaluators are especially acquainted and vigilant with this matter. They adapt their methods to the confidentiality level you require.

The Evaluation Facility is based in AQLs head office, inside a security area originally conceived and built up for this purpose. A compartmentalisation is possible even on a single room basis, which is fitted out with a fully independent IT system.

AQLs Evaluation Facility takes advantage of AQLs structure, while being an independent entity of the overall company. AQL is an independent company with a capital funded by individuals.

AQL is officially authorized to work on defence-related classified projects. It applies a security policy to its organization and procedures, which are periodically audited by the relevant authorities.

AN ADVANCED APPROACH TO SERVE YOU

The security field is continuously soaring. To provide you with the best services, AQL keeps on being at the edge of the researches in this field. AQL specifically works on the following topics : formal methods, ciphering software, virus, electronic payment, system security, telecommunications, evaluation criteria and methods. Some of these activities are carried out in collaboration with clients.

The close relationships between AQL and research centres, standardization organizations, engineering schools and universities are opportunities to exchange knowledge such as to regularly improve the results of internal researches.

Besides, AQLs Facility has performed a lot of methodological studies in order to improve its evaluation process. Since 1992, AQLs Facility has proceeded many evaluations. During each evaluation, the evaluators contribute by their experience to the improvement of the overall evaluation process.

The Evaluation Facility also takes advantage of AQLs quality referential, an ISO 9001 certified company. The Evaluation Quality Manual is the result of a collective work between quality experts and the technical staff of the Evaluation Facility. Merging this Evaluation Quality Manual to the overall company Total Quality Manual guarantees that the quality referential is applied on a day-to-day basis and completely mastered.

AN ADEQUATE ORGANIZATION

In order to effectively achieve an evaluation, several skills have to be combined :

As soon as the project launch, which is entrusted to AQLs ITSEF, we build up a team combining ITSEC experts and technical experts of the field of your target of evaluation.

Our organization enables a quick response to a deliverable arrival. If the evaluation is concurrent (in parallel with the development), our work method, consisting in preparing the final tasks all along evaluation, minimizes the time between product delivery and the end of the evaluation.

IN ORDER TO MEET YOUR NEEDS

We can offer our services to your teams either consisting in :

 

SOME OF OUR ACHIEVEMENTS


Firewall
ITSEC evaluation at level E4 of a firewall built out of two VME filtering devices and a monitoring station.

CommunicationsSystems
ITSEC evaluation of a trusted digital phone product RANCH ( Régie dAbonné Numérique Chiffrante ) at level E3. This product includes two types of ciphering terminals and servers for monitoring, interlocutors authentication and key management purposes.

PC software

ITSEC evaluation of a commercial product at level E2.

Smart card reader

ITSEC evaluation of an intelligent smart card reader (software and hardware).

Military software

Contribution to an experimental ITSEC evaluation of a trusted military software, at level E4.

Smart card

Smart card embedded software evaluation.

Operating system

UNIX HARRIS system evaluation : trusted UNIX system including hardware, base software (ATT System V - Berkeley interface) and network software. The main characteristics of this evaluation are
  • consecutive evaluation,
  • targeted level E3,
  • functionality class F-B1.

This system has been successfully evaluated in the United States against American criteria TCSEC at level B1. Its main functionalities are thus :

  • mandatory and discretionary access control,
  • users identification and authentication,
  • audit of operations on the system,
  • objects clearing before reuse.

Database

Trusted ORACLE V7 evaluation :
  • comparison of the functionalities and performances of ORACLE V7 and Trusted ORACLE V7 (in combination with SUN-CMW operating system).
  • analysis of Trusted ORACLE V7 evaluation deliverables. An independent analysis of these deliverables has been performed. The results have been confronted to the evaluation reports resulting from the English evaluation at level E3.

Software Engineering Environment

Security analysis of the software engineering environment Entreprise II with a view to its evaluation :
  • comparison of the existing toolkit functionality with respect to the requirements of the functionality class F-SEE-2 ; identification of security functions and mechanisms.
  • confrontation of the current toolkit associated documentation with ITSEC requirements for evaluation level E2.
  • effectiveness pre-analysis aimed at identifying vulnerabilities.

Communications systems

Preparation for the evaluation of a trusted phone product :
  • security target review,
  • developers quality referential analysis,
  • presentation of an approach to effectiveness analyses.

Preparation for the evaluation of an extension to a message handling system towards an office automation environment.


Protection Profile

Evaluation against Common Criteria of a Protection Profile for a firewall.

Training

Training about evaluation criteria within one or two days : Thomson, Gemplus, Schlumberger, Supélec, Centre dInstruction à la Sécurité des Industriels de lArmement (CISIA).

 

For confidentiality reasons, some of our achievements are not detailed.

 


FOR ANY FURTHER INFORMATION

Please contact :
About commercial aspects : Roland PETIT
About technical aspects : Christian DAMOUR
Electronic mail : c


Drivers - TV Numérique - Intranet - Méthodes formelles - Sécurité
Accueil - AQL - Carte du site -
Copyright © 1996, 1997 - Alliance Qualité Logiciel - Dernière mise-à-jour : 10 Septembre 1997