I never came across a web application that has been certified according to Common Critera. As far as I know there isn't even a protection profile available for web applications.
What is the reason for this? Is Common Criteria not suitable for web applications? What are the main problems?
No. In practice, the Common Criteria is not a great tool for assuring or evaluating the security of a web application. There are a number of reasons:
There's plenty of knowledge about how to evaluate the security of a web application. There are companies who will do that for you (e.g., Whitehat Security, Cigital, and many other companies). We don't need no stinkin' standards.
Common Criteria a clumsy, heavyweight tool. Based upon experience in other industries, it would not be a good match for the rapid innovation and agility in web applications.
Common Criteria evaluations are expensive and they often aren't as effective as one might like, so they're probably not an efficient way to evaluate the security of your web application.
My sense is that Common Criteria evaluations often lean too heavily towards a bureaucratic exercises in ticking off checkboxes. Also, Common Criteria evaluators suffer from a conflict of interest (they are paid by the folks they are evaluating, which tends to lead to a least-common denominator syndrome where evaluators tend to be a bit lax). As a result, I've seen highly insecure products certified under the Common Criteria.
Common Criteria evaluations are time-consuming, so it's not unusual for a product to be almost obsolete by the time it is certified.
As far as I know, there is no "protection profile" for web applications. In principle, Common Criteria is happy to let you certify anything, if there's a "protection profile" that specifies what the security requirements and threats may be. Since there is no "protection profile" for web applications, you couldn't certify a web application to the Common Criteria even if you wanted to.
To summarize, Common Criteria primarily solves a compliance problem, not a security problem.
You can certify pretty much anything with Common Criteria, by its very nature. The first step of Common Criteria is to define what the system being certified looks like, and then to lay out what the appropriate security yardsticks will be for that system. If you had an IP-enabled screwdriver, you could get it certified under Common Criteria (assuming it was secure enough, of course).
Looking at the Common Criteria Certified Products list, for example, I see BEA WebLogic and IBM WebSphere certified. Those are web application platforms, one step up from what you're looking for. I also see Splunk on the list, which could be considered a web application.
Now, I don't know for sure what you're looking for when you say web application. But the sole common factor among every entry on the CC Certified Product list is that someone wanted to sell it to people who made security certification part of their evaluation and purchase process. If you mean web applications like, say, Google Docs or Google Mail - Google isn't selling them to anyone. Sure, they sell the service, but not the applications. So there's no need to get them CC certified, because there's no benefit in doing so.
Hope that helps!
