When we started Acumen a little over two years back we wanted our work to have real world impact. Compliance based testing and certification have received bad rap over the years as being checkbox security or even worse having no security impact. In this respect our genesis of starting Acumen might well have been called a pipe dream.
Against such odds, over the last two years I want to believe our work has had real world security impact, from entropy to more secure protocols, to better designed security practices. We have worked with many customers and helped make their products’ security posture better. This has been fulfilling and satisfying experience.
Not every product is purely commercial however. Many government customers have a wish or requirement to pursue the use of Open Source systems, but they still need compliance certifications. For a long time, this has essentially meant the need to use Linux-based systems. We are seeing an increase in interest in BSD-based solutions, however, and Acumen engineers have been conducting some pro-bono research into potential gaps which stand in the way of those potential customers from being able to use operating systems such as FreeBSD and HardenedBSD.
One of the major work products associated with this endeavor was the recent run-down on the “W^X” objective requirement in the OSPP. A lot of attention was paid to this post in the open source community, particularly in the BSD world, including coverage in the BSDNow.tv video pod cast, which really drove a lot of traffic to Acumen’s blog.
As a direct result of this attention, and the discussions which ensued, OpenBSD has sped up their timeline for enabling userland enforcement of W^X, and it will be the default behavior in 6.0, with patches for testing committed by Theo de Raadt last week.
Whether open source projects ultimately choose to pursue certifications, or merely use the guidance to improve their projects, everyone on the Internet who directly or indirectly relies on open source software benefits from a safer, more secure Internet.
This is quite exciting and I am proud of our team and the work they are doing. We hope to continue in this vein and continue making positive impact by driving and deriving value out of certifications rather than just having check box compliance.