A security validation is a substantial process\u2014getting it started can be daunting. But you don\u2019t need to decide everything up front\u2014in fact, you\u00a0shouldn’t. There are definitely some important considerations to work through, but there are some decisions you should put off until you are well into the process. If you have been tasked with getting a security validation done for your product, where to begin is, in fact, one question you need to answer.\u00a0If you are like most people, you start by reading and researching the security standards, evaluation laboratories<\/a>, and validation consultants<\/a>.\u00a0Then the feeling that you need to start making some decisions sets in.\u00a0Assuming you are still open to suggestions, stop right there.\u00a0There are things you need to work on, but making decisions is not one of them.\u00a0Keeping an open mind at this stage is\u00a0critical to the future success of your validation effort. If you aren\u2019t making decisions, what should<\/em> you be doing?\u00a0<\/strong>Here are some crucial first steps:<\/p>\n

\n
• Understand what your ROI looks like. Do you understand why you are getting a security validation?\u00a0What could your sales team do if they had a validated product in their arsenal?\u00a0Understanding your potential ROI will be be critical when you start making decisions later in the process.<\/li>\n
• Get the support of major stakeholders. If your sales team is asking for validation, is the engineering team on board?\u00a0What would it take to get them on board if they are not?<\/li>\n
• Identify the budget.\u00a0Security validations are not inexpensive.\u00a0Making sure you have appropriate budget is important for success.<\/li>\n
• Find out when your next major release cycle will be.\u00a0Chances are, changes are going to need to be made to your product.\u00a0Understanding when those changes could fit into a product release will be key.<\/li>\n<\/ul>\n

  What decisions should be deferred?<\/strong><\/p>\n

  \n
  • The \u201clevel\u201d of validation you should pursue.\u00a0You need to understand a lot about the path through certification before you can make this decision.\u00a0It is good to have an idea of what is required to meet your ROI goals, but typically there are many options for product vendors to consider before making this decision.<\/li>\n
  • Which testing laboratory to use. The choice of a testing laboratory should be made based on experience, availability, cost, and several other factors.\u00a0Making this choice before you understand how to make these tradeoffs unnecessarily limits your options.<\/li>\n
  • Which scheme\/country to choose. Many security validations are done in multiple countries.\u00a0There are reasons to have your validation work done in one over another.\u00a0You need to understand these reasons and how they apply to your product and goals before you make this choice.<\/li>\n
  • A validation boundary.\u00a0Deciding what to validate, which seems like it should be a very obvious choice, is almost never obvious.\u00a0After 15 years, I begin every new engagement with a customer asking them to stay open minded as to their validation boundary until we explore the technical and business issues surrounding a validation.\u00a0This decision is best delayed as long as possible.<\/li>\n<\/ul>\n

    Starting a validation requires a lot of considerations and research. But it\u00a0doesn’t\u00a0require you to have all the answers up front. Learn as much as you can without closing off any avenues too soon.\u00a0The more you know,\u00a0the better your decisions will be at the appropriate time in your process. Learn how Corsec can help you with the considerations and decisions required in your security validation process. Click here<\/a>\u00a0to contact us and receive more information.<\/p>\n","protected":false},"excerpt":{"rendered":"

    A security validation is a substantial process\u2014getting it started can be daunting. But you don\u2019t need to decide everything up front\u2014in fact, you shouldn’t. There are definitely some important considerations to work through, but there are some decisions you should put off until you are well into the process.If you have been tasked with…<\/p>\n","protected":false},"author":2,"featured_media":4400,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63],"tags":[82,25,4,39,8],"class_list":["post-1430","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-certification-process","tag-common-criteria","tag-fips-140-2","tag-security-certifications","tag-uc-apl","infinite-scroll-item","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","no-featured-image-padding"],"yoast_head":"\n