Caution: JavaScript execution is disabled in your browser or for this website. You may not be able to answer all questions in this survey. Please, verify your browser parameters.
Sec-certs: How can it help you? (ICCC 2024)

Help us improve sec-certs!

We’re gathering feedback on the sec-certs tool, and we’d love to hear your thoughts! What do you like about it? Is there anything that could be improved? Your input is essential in helping us better understand and refine the technologies we work with.

Visit our booth or complete the survey on your own

Feel free to stop by the Red Hat booth to try a live demo of the sec-certs tool at one of our workstations. We’re happy to discuss the study topics with you in detail. If you prefer, you can also complete the survey on your own device (though it may be a bit challenging on a phone).

Participate and get swag!

After completing the survey, you’ll receive exclusive Red Hat swag. Instructions on how to claim your swag will be provided on the final page of the survey.

The survey is anonymous

This survey is entirely anonymous. We do not collect personal information, including names or any identifying details. The dataset will be published as part of a research thesis by Martin Hofbauer (Masaryk University) focusing on the user experience of the sec-certs tool.

Research affiliation

The research is organized by Masaryk University, Czechia in partnership with Red Hat Research and is co-funded by the CHESS research grant.

If you have any questions or need further information, feel free to visit us at the Red Hat booth or contact Martin Ukrop (Principal research engineer, Red Hat) at mukrop@redhat.com.

 

 

 

 

 

 

 


 

Gaining experience
The study is best answered after having engaged with the sec-certs tool in a realistic scenario.
1

Will you complete a small (5–10 minute) real-world scenario using the sec-certs.org tool?

  • You may use your own device or visit the Red Hat booth, where computers are available.
  • Using a laptop is recommended, as browsing on a phone may not provide an ideal experience.
Test scenarios

Please select one or more of the following scenarios and go to sec-certs.org to find the answer(s).

  • All scenarios assume Common Criteria as the certification framework.
  • You will only need to use sec-certs.org to complete this task; no other websites are required.
  • If you’re unable to complete a scenario, feel free to respond with I couldn’t find the answer.
2
Which certification laboratory tested the Cisco Catalyst 3650 device running IOS-XE 16.9?
3
Compare the certificates for Red Hat Enterprise Linux versions 8.1 and 8.2 using a side-by-side comparison feature. What change was made to hash_function/SHA?
4
Find at least one certificate that may be affected by CVE-2017-15361.
(paste certificate id)
5

Set up notifications to test@test.com for any new vulnerabilities related to the certificate for Smart Meter Gateway 1.3. Briefly describe the steps you took to set this up. 

6
Which symmetric cryptographic algorithms are used by the certificate NXP JCOP 8.x on SN300 B2 Secure Element, version JCOP 8.0 R1.38.0.1? Note that this certificate has been removed from the CC portal, but the sec-certs tool maintains archives.
7
What critical CVE is associated with the Xerox WorkCentre Pro 232 device certified in 2007?
8
Locate any certificate that references a post-quantum algorithm. Use the light-weight query: "post quantum" OR "post-quantum" OR "PQC"
(paste certificate id)
9
What percentage of certificates is associated with the category ICs, Smart Cards, and Smart Card-Related Devices and Systems?
10
You suspect the ATMEL Toolbox 00.03.11.05 library has a vulnerability. Find certified devices that use this library and could potentially be affected (list at least one).
(paste certificate id)
Prior exposure
11
Have you used the sec-certs tool before?
Tool deficiencies
12
Based on your experience, which aspects of the sec-certs tool could be improved?
Introduction to the sec-certs tool
13

The sec-certs tool offers a centralized platform for analyzing security certificates, with a focus on Common Criteria and FIPS 140-2/3. Key features include:

📊 Certification data aggregation & annotation

The sec-certs tool aggregates data from multiple certification repositories, enriches it with metadata, and consolidates everything into a single, user-friendly interface. This includes information from global certification bodies and associated documentation.

🔎 Unified search

With a powerful search feature, the tool enables users to efficiently search across multiple certification databases in one place.

🛡️ Mapping to CVEs (NIST National Vulnerability Database)

Effortlessly connect certified products to known vulnerabilities by mapping certificates to the NIST National Vulnerability Database, offering insights into associated CVEs (Common Vulnerabilities and Exposures).

📈 Trend visualizations

The sec-certs tool converts complex data into meaningful graphs and charts, making it easier to interpret certification trends, audit performance, and track certification timelines.

🔄 Certificate side-by-side comparison

Quickly compare certificates from different products or vendors with a side-by-side view that highlights key details and differences. This feature enables users to directly assess security requirements, validation scopes, and certification attributes, helping identify critical security standards across products.

🗑️ Historical data archive

The sec-certs tool includes a feature for locating certificates that have been removed from official certification portals. Users can access historical data even for certificates no longer listed, providing a comprehensive view of past certifications and any associated vulnerabilities.

🔗 Certificate references

The sec-certs tool provides comprehensive referencing capabilities between related certificates, allowing users to trace dependencies. These references enable deeper insights into certificate lineage and the relationship between various certifications.

🌐 Open source & open data

Fully open-source and actively updated by a community of security experts, sec-certs is available on GitHub for customization and collaboration. All preprocessed datasets can be downloaded directly from the sec-certs website.

🔔 Automatic update notifications

Stay informed with automatic notifications for important updates related to observed certificates, including changes to associated CVEs.

🖥️ API and automation

Designed for seamless integration into your workflow, the sec-certs tool offers an API for automated data retrieval, making it ideal for large-scale analyses.

General feedback
14
Have you heard about the sec-certs tool before ICCC 2024? If so, where?
15
Which features of the sec-certs tool do you like the most?
16
In what use cases do you find the sec-certs tool useful?
17
Do you have any feature requests for the sec-certs tool?
18
Which of the graphs on the sec-certs CC analyses page do you find most useful?
19
Are there any specific graphs that you think we should add?
20
If the following graph features were added in the future, how important would each be to you?
Not important at all Slightly important Moderately important Very important Extremely important No answer
Saving graphs/dashboards privately to your sec-certs account for later access
Ability to export graphs in multiple formats (SVG, PNG, CSV)
Up-to-date graphs created by sec-certs developers
Option to create your own custom graphs
Option to share a graph/dashboard via a unique URL
Grouping multiple graphs into customizable dashboards
21
How important do you find the following features of the sec-certs tool?
Not important at all Slightly important Moderately important Very important Extremely important No answer
Full-text search across certificates
Receiving notifications on certificate changes
Displaying ecosystem trends and analyses (example)
Retaining archived certificates (those already removed from the CC portal)
Viewing certificate references/dependencies
Searching for certificates by name or ID
Receiving notifications on new certificate-related CVEs
Viewing related CVEs for each certificate
Comparing certificates with highlighted differences
About you
22
Which category best describes you?
23
What is your specific role? 
24
How often do you search for certification-related files online?
25
What information do you frequently need to extract from certificates?
26
Are there any repetitive tasks you encounter when working with certificates?