Cyber Secure Institute Cuts Through Misleading Security Claims: LynuxWorks and LynxSecure

PRESS RELEASE

WASHINGTON- Today, Rob Housman, the Executive Director of the Cyber Secure Institute, put out this statement concerning a November 18, 2008 announcement by LynuxWorks of its LynxSecure software:

LynuxWorks's said that its LynxSecure "Technology Supports EAL-7 Evaluation, Integrates Multiple Applications at Different Security Levels on a Single Piece of Silicon and Consolidates Hardware for Security and Separation". The company also said, "LynxSecure supports a lightweight Application Run-Time environment that can be used for creating secure applications without an intervening OS which can be evaluated to the required assurance level up to EAL-7."

Sadly, like so many other security claims, this is marketing speak. Claims like this are why the Cyber Secure Institute was founded—to cut through inaccurate and misleading security claims and advocate for certified secure technologies.

Read the release carefully. LynuxWorks didn't say its technology has been certified to a high level of security. In fact, LynxSecure is not listed as certified on the National Information Assurance Partnership (NIAP) list: http://www.niap-ccevs.org/cc-scheme/vpl Nor is it on the NIAP's product evaluation list: http://www.niap-ccevs.org/cc-scheme/in_evaluation What LynuxWorks actually said is its system supports EAL 7 evaluation or could be evaluated at that level. To paraphrase, "We haven't been, but trust us, we could be evaluated to that level." Saying one could be evaluated at a level 7 isn't the same as being certified. The Cyber Secure Institute's position is that claims about cyber security ought to be subject to an actual independent, objective, data-driven certification process. To this end, we would encourage LynuxWorks, and any other technology provider who thinks that their systems can pass a high-level security certification, to actually go and get certified. If you get certified we look forward to inviting you to become a Certified Member of the Institute. The Cyber Security Institute is a newly established analysis and advocacy institute dedicated to serving as the voice for effective cyber security. For more information: www.cybersecureinstitute.org. Contacts: Cyber Security Institute Rob Housman 202-486-5874 or 202-289-7999 [email protected]