Security certification of software products: what about libraries or third-party services?

Question

How the security certification works if the software uses third party libraries or services?

E.g., if someone would like to certify a software product following Common Criteria standard (let's say, CC EAL1). And the software uses:

1) authentication service provided by third party.

2) different libraries, e.g. for data encryption.

3) database for storing the data

Does the certification implies, that only CC EAL1 certified databases (including database driver and ORM framework), libraries and services could be used by certified software product?

If yes, how about the libraries that are not directly involved in the data processing, e.g. logging frameworks, or libraries that are used internally, e.g. JSON or XML parsing libraries and so on?

Answer 1

The Configuration Management scope (ALC_CMS class), mentioned in the Common Criteria Developers Guide (CC v3.1) describes, what should be included into the configuration list.

Starting with EAL2, parts that comprise the Target of Evaluation (TOE), should be provided in this list, including software modules and hardware components.

The following evaluator action is mentioned: "The evaluator will check that the configuration list includes the above listed configuration items and that these configuration items are uniquely referenced."