IT Security Act 2.0 approved by the Bundesrat (Upper House)

SRC GmbH: Pioneer in BSZ certi­fi­cation with expansion of the team of experts

In the following article you will learn more about how the SRC GmbH has been acting as a recog­nized test center for the BSZ since September 2021 and what important devel­op­ments and expertise it offers in this area.

Accel­erated Security Certi­fi­cation (BSZ): An Introduction

The BSZ is a procedure offered by the BSI in Germany to prove the security of IT products. It was intro­duced to give manufac­turers a faster way to demon­strate the security of their products with a BSI certificate. This assessment aims to ensure that the product meets the security require­ments of the BSI and offers end users an appro­priate level of protection. Compared to the conven­tional certi­fi­cation according to Common Criteria (CC), the BSZ offers the advantage of faster certi­fi­cation, easier to plan evalu­ation times, and a signif­i­cantly reduced documen­tation effort for the manufac­turer. SRC is a testing center for accel­erated security certi­fi­cation (BSZ) recog­nized by the Federal Office for Infor­mation Security (BSI) and was one of the first recog­nized certi­fi­cation bodies at all.

The road to security: BSZ versus CC

The procedure only allows a single run, i.e. the product to be evaluated may not be changed during the evalu­ation. This greatly speeds up the process overall, but there is always a risk that products will fail the first attempt and therefore not receive a certificate. In this case, however, a new certi­fi­cation procedure can be requested from the BSI at any time.

Under the direction of Peter Jung: The first steps of the SRC with BSZ

Under the project management of Peter Jung, who has been respon­sible for the BSZ at SRC from the start, SCR has since evaluated the Lancom 1900EF VPN router, which was also the first BSZ product ever, and then the secunet high-speed connector. As soon as this is evaluated, we will report on it in another article.

New expertise at SRC: Tim Hirschberg and Dr. Matthieu Felsinger

We are happy to announce that since May 2023 the SRC has been formed with Tim Hirschberg (BSZ evaluator) and Dr. Matthias Heuft (BSZ evaluator) and Dirk Feldhusen (BSZ evaluator for cryptog­raphy) — strengthen.

The BSZ certi­fi­cation in detail: concen­tration on promises of security

The BSZ certi­fi­cation focuses on verifying the safety perfor­mance promised by the manufac­turer. The actual certi­fi­cation is carried out after the product has been evaluated by a test center recog­nized by the BSI, such as the SRC. The resulting test report serves the BSI as a basis for awarding the certificate.

The path to the certificate: the verifi­cation process at SRC

The evalu­ation takes place within a fixed timeframe (about 2–3 months) that depends on the complexity of the product. The evalu­ation services include checking the promised security function­ality (conformity tests) and the instal­lation instruc­tions as well as penetration tests, in which the effec­tiveness of the technical security measures of the product is checked under realistic attack scenarios.

Cryptocur­rency ECB Digital EuroA Holistic Review: Cryptog­raphy and Beyond

The assessment of the imple­mented crypto­graphic proce­dures is also part of the compre­hensive testing process that an IT product has to go through in order to receive the BSZ certification.

A look into the future of safety certification

At SRC GmbH, we are proud of our role as a recog­nized testing body for accel­erated security certi­fi­cation (BSZ) and of contin­u­ously promoting security standards in the IT industry. With our experi­enced team and commitment to innovation, we will continue to help ensure the security of IT products.

If you would like to learn more about our BSZ certi­fi­cation services or have any questions, please do not hesitate to contact us. Together we can meet the safety require­ments of your products and pave the way for certi­fi­cation. We look forward to working with you and shaping the future of safety certification.

BSZ Certificate

SRC recog­nized as test center for accel­erated safety certi­fi­cation (BSZ)

On 01 October the “Accel­erated Security Certi­fi­cation (BSZ)”, the new certi­fi­cation procedure of the German Federal Office for Infor­mation Security (BSI) has started. Already on September 28, SRC was recog­nized by the BSI as a testing body for this new procedure. Sandro Amendola is head of the department Standard­ization, Certi­fi­cation and Security of Telecom­mu­ni­cation Networks at the BSI. On behalf of the BSI he handed over the certificate of recog­nition to Peter Jung, who is respon­sible for the BSZ at SRC.

Accel­erated Security Certi­fi­cation is the BSI’s new light­weight procedure for certi­fying the security of IT products. In contrast to a CC certi­fi­cation, a certi­fi­cation according to BSZ has several advan­tages: a consid­erably lower documen­tation effort, a signif­i­cantly shortened imple­men­tation and thus a lower cost.

The certi­fi­cation scheme follows a risk-based approach. In this process, the security perfor­mance of the IT product is tested by a recog­nized testing body such as SRC within a fixed timeframe using confor­mance and penetration tests to determine its security perfor­mance and its resis­tance to attacks.

The user also benefits. He receives compre­hen­sible documen­tation of the security perfor­mance and the promise that any vulner­a­bil­ities that occur are guaranteed to be remedied within the certificate’s validity period.
“After SRC has already carried out the first successful evalu­ation according to BSZ, we are very pleased about the recog­nition as a test center for this innov­ative certi­fi­cation scheme that has now taken place” says Peter Jung as repre­sen­tative of the test center and topic respon­sible for the Accel­erated Security Certi­fi­cation BSZ at SRC.

SRC was one of the first test centers to be recog­nized for BSZ. SRC performed the evalu­ation of the LANCOM-1900EF, the first certified BSZ product ever.

LANCOM 1900EF

Lancom 1900EF VPN Router receives first Accel­erated Security Certi­fi­cation (BSZ)

The BSI has granted LANCOM Systems GmbH the first certificate according to the new BSI scheme “Accel­erated Security Certi­fi­cation” (BSZ for short). In this pilot procedure, SRC evaluated the security features of the Lancom 1900EF VPN Router and finally recom­mended approval to the BSI.

LANCOM has already had the security of its solutions tested and confirmed or certified by SRC in many proce­dures using Common Criteria evalu­a­tions or penetration tests. With the pilot evalu­ation for the BSZ, the BSI, LANCOM and SRC have jointly set a further standard for the certi­fi­cation of IT security solutions, with the aim of achieving time-to-market certification.

The Accel­erated Security Certi­fi­cation (BSZ) allows manufac­turers to have their products evaluated and certified by the BSI within a specified period of time. The evalu­ation must be carried out by a test centre recog­nised by the BSI. With the BSZ, the total effort of the evalu­ation, in comparison to e.g. Common Criteria evalu­a­tions, is prede­ter­mined from the beginning (fixed time). This allows manufac­turers to estimate the expected effort well.

When designing the attack scenarios, the BSZ allows the evalu­ators a relatively large leeway. This test catalogue must be presented to the BSI exten­sively and in detail. This design leeway demands an above-average degree of expertise, care and creativity from both the evalu­ation facility insti­tution and each individual evaluator. The test catalogue and the final evalu­ation in the test report draw on a broad know-how of cryptog­raphy, penetration tests, protocol attacks. The imple­men­tation by the manufac­turer is evaluated by the test centre and the respon­sible persons at SRC have to defend this against the critical view of the BSI.

“Accel­erated security certi­fi­cation will certainly play a major role, especially in the field of IOT devices,” says Gerd Cimiotti, Managing Director of SRC Security Research & Consulting GmbH. Like Lancom and the BSI, he expresses his thanks for the profes­sion­alism on all sides with which this pilot procedure was ultimately brought to a successful conclusion.

Ralf Koenzen, founder and managing director of LANCOM Systems GmbH, gives the manufacturer’s perspective: “When you do something for the first time, the effort is always greater. It is precisely then that you feel the experience and expertise of a partner like SRC as orien­tation and noticeable relief.”

As a long-standing partner of the BSI, SRC has already carried out a large number of projects in the most diverse approval schemes. SRC is currently in the process of being recog­nised as a test centre for accel­erated security certification.

We would also be happy to accompany your accel­erated security certi­fi­cation. If you have any questions about the BSZ, please do not hesitate to contact us.