Welcome to the Acumen Security Blog

Welcome Aboard!

At Acumen, are always looking for ways to improve both our customer experience and our testing. In addition to tooling, infrastructure, and training investments, we truly believe the best way to build a world class lab is to bring on the right people. I think we’ve done a great job of bringing not only excellent engineers but excellent people on board. Today is not exception, I am proud and pleased to announce the latest member of the Acumen family, Ryan Thomas.
Many of you may recognize Ryan’s name from his many years leading a FIPS lab, the many crypto related working group he’s a member of, or the conferences he is always at. Both Ashit and I have had the opportunity to work with Ryan both at Acumen and in our previously jobs at Cisco. It is an understatement to say that our experiences with Ryan were nothing but excellent. Ryan truly embodies the Acumen philosophy of putting the customers first and foremost in every interaction. This combined with his excellent technical grasp is why we are so excited to have him join Acumen.
So, if you have a call with us over the next couple weeks, you will likely hear Ryan on the bridge as well. True to form, Ryan is already overly eager to start jumping in and producing. Please say “Hi” if he’s on a call or email chain. Just like Ashit and I (and all of us here at Acumen really), he loves to chat and would love to help you navigate the certification process.
Welcome aboard Ryan, today Acumen is better than yesterday!

Pros and Cons of Using an Embedded FIPS-module

As more and more procurement requirements necessitate the use of FIPS validated cryptography, a popular strategy for meeting those requirements is to leverage an already existing validated cryptographic provider (and get all of the “FIPS-goodness” that comes with using validated modules). This strategy is particularly popular with large product vendors who have multiple product lines for which the level of effort to do a full validation for each product would be prohibitive. There are many benefits to this approach,

  • Time to market of a certified solution (weeks vs months/year)
  • Cost (order of magnitude less)
  • Level of Effort (changing libraries vs multiple bugs + coordinating with labs/gov’t)
  • Maintenance (small crypto boundary means fewer re-certs)
  • Scalability (reduces overall burden on engineering teams)

And the best part about it is it is explicitly allowed by the CMVP. In fact, FIPS 140-2 Implementation Guidance G.5 discusses the specifics about porting/using an already validated module within a product. With that being said, why wouldn’t all companies go and pick up the latest version of their favorite 3rd party module and call it a day? There are some potential draw backs to using an embedded module (meaning it’s not right for everyone), for example,

  • Coverage (some functionality the product needs may simply not be available to the module that works for on the system)
  • Relevance (some modules are not updated regularly and may only support deprecated versions of algorithms)
  • Maintenance (since the code doesn’t necessarily below to the product team, bug fixes may be slow)
  • Marketing (since it’s not the vendor’s product, their name doesn’t go on the list)

As can be seen from the above, developing a FIPS validation strategy for a company’s product(s) takes more consideration than just identifying where product gaps are and coding. If you’re interested in more info about the pros and cons of using an embedded FIPS-module, check out the slides I presented at ICMC this year or drop me an email or call me. I (seriously) like to talk, so, you’ll be doing me a favor 🙂

PS: Follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.