Welcome to the Acumen Security Blog

OpenSSL + FIPS… here to stay!

If you follow the developments in OpenSSL (who doesn’t?!?!) you would have seen the BIG NEWS posted by Steve Marquess regarding the next round of FIPS validation of OpenSSL’s FIPS Object module! This is indeed an exciting moment for all of us here at Acumen Security! We are honored to be part of this team for such a seminal FIPS validation.

The last OpenSSL crypto module FIPS validation had a profound impact on how ICT companies leverage and claim FIPS compliance and we expect this will have an even greater impact on our industry. We have seen firsthand how useful it is for companies to have a FIPS validated module for use with OpenSSL and the efficiencies it offers. The contribution of the FIPS validated OpenSSL crypto module cannot be exaggerated.

Dream_teamWe are thankful to SafeLogic and the OpenSSL project for placing their trust in us to be the Lab of choice. With this honor, we are keenly aware of the responsibility that has been shouldered upon us. Given what is riding on this FIPS validation, we aim to offer a certification that is solid and comprehensive and can withstand the scrutiny that comes with an open source validation. With multiple decades of experience and knowledge in leading and shepherding FIPS validations, we expect to bring this validation to its expected successful completion

As Steve mentioned, more details to follow, stay tuned! We will be updating our progress in the coming weeks and months. For more information about the project please contact us at info@acumensecurity.net

Making Real World Impact!

When we started Acumen a little over two years back we wanted our work to have real world impact. Compliance based testing and certification have received bad rap over the years as being checkbox security or even worse having no security impact. In this respect our genesis of starting Acumen might well have been called a pipe dream.

Against such odds, over the last two years I want to believe our work has had real world security impact, from entropy to more secure protocols, to better designed security practices. We have worked with many customers and helped make their products’ security posture better. This has been fulfilling and satisfying experience.

Not every product is purely commercial however. Many government customers have a wish or requirement to pursue the use of Open Source systems, but they still need compliance certifications. For a long time, this has essentially meant the need to use Linux-based systems. We are seeing an increase in interest in BSD-based solutions, however, and Acumen engineers have been conducting some pro-bono research into potential gaps which stand in the way of those potential customers from being able to use operating systems such as FreeBSD and HardenedBSD.

One of the major work products associated with this endeavor was the recent run-down on the “W^X” objective requirement in the OSPP. A lot of attention was paid to this post in the open source community, particularly in the BSD world, including coverage in the BSDNow.tv video pod cast, which really drove a lot of traffic to Acumen’s blog.

As a direct result of this attention, and the discussions which ensued, OpenBSD has sped up their timeline for enabling userland enforcement of W^X, and it will be the default behavior in 6.0, with patches for testing committed by Theo de Raadt last week.

Whether open source projects ultimately choose to pursue certifications, or merely use the guidance to improve their projects, everyone on the Internet who directly or indirectly relies on open source software benefits from a safer, more secure Internet.

This is quite exciting and I am proud of our team and the work they are doing. We hope to continue in this vein and continue making positive impact by driving and deriving value out of certifications rather than just having check box compliance.