Lightweight information and communication technology (ICT) product security evaluation.
LINCE methodology, developed by Spain’s National Cryptologic Center (CCN), addresses the need for the certification of products for deployment in environments where the threat level is low or medium. This process allows an evaluation laboratory to verify whether the product is in accordance with its specification, determining the effectiveness of the security functions implemented.
LINCE certification qualifies products for inclusion in the IT security product catalogs of Spain’s public administration and CCN.
LINCE – a lightweight security evaluation accessible to any company
Based on a Security Target (ST) and documentation provided to clients (user manuals) the defined evaluation procedure supports short cycle times – evaluations can be completed in less than two months. In the event that an evaluation is not successful, the product’s non-conformities can be resolved within a period of six months without the need to conduct the whole evaluation process again.
LINCE methodology has less focus on document evaluation, compared to Common Criteria. Evaluators have the same information that is available to a real attacker. 80% of the evaluation effort focuses on testing security functionality, a vulnerability analysis and penetration testing, mostly in a blackbox setup. This approach allows detection of the most dangerous vulnerabilities at minimal cost.
A LINCE basic evaluation can be augmented with the cryptographic and the source code modules, to provide a higher assurance level. These modules increase the evaluation effort by two working weeks.