Cybersecurity Certification and Assessment Tools

Cybersecurity regulations are becoming increasingly complex. The Cybersecurity Act (CSA) introduces an EU-wide cybersecurity

certification framework, while the Cyber Resilience Act (CRA) sets mandatory cybersecurity requirements for products with digital

components. A reliable and flexible set of tools is essential for continuous security assessment and navigating these evolving

regulations.

In the CCAT project, we propose adapting four open-source tools, developed in academic cybersecurity research, to support the

implementation of new regulations: (1) TLS-Scanner for assessing security in TLS clients and servers; (2) SCRUTINY for evaluating

cryptographic implementations, software libraries, and hardware, including black-box setups; (3) ALVIE for testing embedded security

architectures against vulnerabilities; (4) sec-certs for analysing certification landscapes and evaluating the relationships between

certified products and actual vulnerabilities.

CCAT will enhance these tools to meet the needs of various users involved in or dependent on cybersecurity assessment and

certification. The CCAT methodology builds upon: (1) Relevant feedback for purpose-driven enhancements enabled by collaboration

with users applying the CCAT tools in diverse application scenarios. (2) Robust usable security research exploring and collaboratively

improving user interaction with the tools. (3) Aligning the tools with the emerging EU security certification landscape.

CCAT tools aim to empower both ICT producers and consumers, fostering a more transparent, accountable, and resilient digital

environment. Regulatory bodies can use these tools to assess the effectiveness of cybersecurity certifications, verify the security of

specific implementations, and ensure the EU digital single market cybersecurity.