Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/3/2017
05:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Oracle, SafeLogic and OpenSSL Partner on Next Generation FIPS Module

Oracle dedicates seed funding towards developing FIPS module for OpenSSL 1.1 and calls on corporate sponsors in the FOSS ecosystem to join the effort

REDWOOD SHORES, Calif., August 3, 2017 – Oracle, OpenSSL and SafeLogic today announced a seed investment in developing the next generation open source OpenSSL 1.1 FIPS 140-2 module, and called for others to join the effort. OpenSSL is the most widely used and respected cryptographic library protecting data transfers across computer networks. 

The Federal Information Processing Standard (FIPS) 140-2 is a joint U.S. and Canadian government security standard for testing cryptographic modules, the objective of which is to ensure the use of strong and validated cryptographic protection in U.S. and Canadian government systems. However, it’s also widely respected and informally accepted by other countries and non-government industries as a strong and trustworthy standard for cryptographic modules used within commercial products. The current FIPS module for OpenSSL has not had a significant upgrade since 2012, during which time encryption standards have significantly evolved. Helping drive the updated OpenSSL FIPS project forward, Oracle has made a $50,000 seed investment to start the project, with another $50,000 to follow based on the progress of the effort.

“Ensuring that OpenSSL maintains an up to date FIPS implementation is critical to helping maintain the security posture of sensitive data on government systems and the continuous safety of millions of transactions performed daily. We as a community have a responsibility to maintain the confidence of users in these systems,” said Jim Wright, Chief Architect, Open Source Policy, Strategy, Compliance and Alliances at Oracle. “Given the complexity of the task at hand, we encourage other software vendors to join us in and donate to this project to deliver a free, open-source FIPS module that will benefit everyone.”

In addition to working closely with the OpenSSL Foundation’s team, Oracle and SafeLogic have worked closely on both investments in and the project framework of this effort. SafeLogic has been actively working with OpenSSL on this project since July 2016.

“This is what we've been waiting for—getting this effort off to a good strong start—and with a few more partners from the community, we'll be on our way toward a complete FIPS 140-2 solution for OpenSSL releases 1.1 and later,” said Steve Marquess, President of OpenSSL Validation Services, Inc. “We're already hard at work on the initial stage of designing a new module to accommodate the many changes in FIPS 140 validations over the past five years, and looking forward to a modernized implementation that can support the community for years to come.” 

“Oracle has made a significant pledge, underscoring their crucial role in the future of open source FIPS 140-2 capabilities,” said SafeLogic CEO Ray Potter. “Other sponsors with a vested interest should get in touch with SafeLogic to arrange their own donations, as we are administering contributions to directly fund both the hard and soft costs of the OpenSSL 1.1 FIPS Module project.”

For more information about the project, how to contribute or the future roadmap, please contact [email protected].

 

About SafeLogic
SafeLogic provides innovative encryption products for applications in mobile, server, and appliance environments. Our flagship product, CryptoComply™, provides drop-in FIPS 140-2 compliance with a common API across platforms, while our RapidCert process has revolutionized the way that FIPS 140-2 validations are earned. SafeLogic is privately held and is headquartered in Palo Alto, CA. For more information about SafeLogic, please visit www.SafeLogic.com.

 

About Oracle

The Oracle Cloud offers complete Software as a Service (SaaS) application suites for ERP, HCM and CX, plus best-in-class database Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) from data centers throughout the Americas, Europe and Asia. For more information about Oracle (NYSE:ORCL), please visit us at Oracle.com.

Trademarks
Oracle and Java are registered trademarks of Oracle and/or its affiliates. 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.