Application Security

8/3/2017
05:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Oracle, SafeLogic and OpenSSL Partner on Next Generation FIPS Module

Oracle dedicates seed funding towards developing FIPS module for OpenSSL 1.1 and calls on corporate sponsors in the FOSS ecosystem to join the effort

REDWOOD SHORES, Calif., August 3, 2017 – Oracle, OpenSSL and SafeLogic today announced a seed investment in developing the next generation open source OpenSSL 1.1 FIPS 140-2 module, and called for others to join the effort. OpenSSL is the most widely used and respected cryptographic library protecting data transfers across computer networks. 

The Federal Information Processing Standard (FIPS) 140-2 is a joint U.S. and Canadian government security standard for testing cryptographic modules, the objective of which is to ensure the use of strong and validated cryptographic protection in U.S. and Canadian government systems. However, it’s also widely respected and informally accepted by other countries and non-government industries as a strong and trustworthy standard for cryptographic modules used within commercial products. The current FIPS module for OpenSSL has not had a significant upgrade since 2012, during which time encryption standards have significantly evolved. Helping drive the updated OpenSSL FIPS project forward, Oracle has made a $50,000 seed investment to start the project, with another $50,000 to follow based on the progress of the effort.

“Ensuring that OpenSSL maintains an up to date FIPS implementation is critical to helping maintain the security posture of sensitive data on government systems and the continuous safety of millions of transactions performed daily. We as a community have a responsibility to maintain the confidence of users in these systems,” said Jim Wright, Chief Architect, Open Source Policy, Strategy, Compliance and Alliances at Oracle. “Given the complexity of the task at hand, we encourage other software vendors to join us in and donate to this project to deliver a free, open-source FIPS module that will benefit everyone.”

In addition to working closely with the OpenSSL Foundation’s team, Oracle and SafeLogic have worked closely on both investments in and the project framework of this effort. SafeLogic has been actively working with OpenSSL on this project since July 2016.

“This is what we've been waiting for—getting this effort off to a good strong start—and with a few more partners from the community, we'll be on our way toward a complete FIPS 140-2 solution for OpenSSL releases 1.1 and later,” said Steve Marquess, President of OpenSSL Validation Services, Inc. “We're already hard at work on the initial stage of designing a new module to accommodate the many changes in FIPS 140 validations over the past five years, and looking forward to a modernized implementation that can support the community for years to come.” 

“Oracle has made a significant pledge, underscoring their crucial role in the future of open source FIPS 140-2 capabilities,” said SafeLogic CEO Ray Potter. “Other sponsors with a vested interest should get in touch with SafeLogic to arrange their own donations, as we are administering contributions to directly fund both the hard and soft costs of the OpenSSL 1.1 FIPS Module project.”

For more information about the project, how to contribute or the future roadmap, please contact [email protected].

 

About SafeLogic
SafeLogic provides innovative encryption products for applications in mobile, server, and appliance environments. Our flagship product, CryptoComply™, provides drop-in FIPS 140-2 compliance with a common API across platforms, while our RapidCert process has revolutionized the way that FIPS 140-2 validations are earned. SafeLogic is privately held and is headquartered in Palo Alto, CA. For more information about SafeLogic, please visit www.SafeLogic.com.

 

About Oracle

The Oracle Cloud offers complete Software as a Service (SaaS) application suites for ERP, HCM and CX, plus best-in-class database Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) from data centers throughout the Americas, Europe and Asia. For more information about Oracle (NYSE:ORCL), please visit us at Oracle.com.

Trademarks
Oracle and Java are registered trademarks of Oracle and/or its affiliates. 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8030
PUBLISHED: 2018-06-20
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 a...
CVE-2018-1117
PUBLISHED: 2018-06-20
ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this cou...
CVE-2018-11701
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11702
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11703
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.