Application Security

8/3/2017
05:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Oracle, SafeLogic and OpenSSL Partner on Next Generation FIPS Module

Oracle dedicates seed funding towards developing FIPS module for OpenSSL 1.1 and calls on corporate sponsors in the FOSS ecosystem to join the effort

REDWOOD SHORES, Calif., August 3, 2017 – Oracle, OpenSSL and SafeLogic today announced a seed investment in developing the next generation open source OpenSSL 1.1 FIPS 140-2 module, and called for others to join the effort. OpenSSL is the most widely used and respected cryptographic library protecting data transfers across computer networks. 

The Federal Information Processing Standard (FIPS) 140-2 is a joint U.S. and Canadian government security standard for testing cryptographic modules, the objective of which is to ensure the use of strong and validated cryptographic protection in U.S. and Canadian government systems. However, it’s also widely respected and informally accepted by other countries and non-government industries as a strong and trustworthy standard for cryptographic modules used within commercial products. The current FIPS module for OpenSSL has not had a significant upgrade since 2012, during which time encryption standards have significantly evolved. Helping drive the updated OpenSSL FIPS project forward, Oracle has made a $50,000 seed investment to start the project, with another $50,000 to follow based on the progress of the effort.

“Ensuring that OpenSSL maintains an up to date FIPS implementation is critical to helping maintain the security posture of sensitive data on government systems and the continuous safety of millions of transactions performed daily. We as a community have a responsibility to maintain the confidence of users in these systems,” said Jim Wright, Chief Architect, Open Source Policy, Strategy, Compliance and Alliances at Oracle. “Given the complexity of the task at hand, we encourage other software vendors to join us in and donate to this project to deliver a free, open-source FIPS module that will benefit everyone.”

In addition to working closely with the OpenSSL Foundation’s team, Oracle and SafeLogic have worked closely on both investments in and the project framework of this effort. SafeLogic has been actively working with OpenSSL on this project since July 2016.

“This is what we've been waiting for—getting this effort off to a good strong start—and with a few more partners from the community, we'll be on our way toward a complete FIPS 140-2 solution for OpenSSL releases 1.1 and later,” said Steve Marquess, President of OpenSSL Validation Services, Inc. “We're already hard at work on the initial stage of designing a new module to accommodate the many changes in FIPS 140 validations over the past five years, and looking forward to a modernized implementation that can support the community for years to come.” 

“Oracle has made a significant pledge, underscoring their crucial role in the future of open source FIPS 140-2 capabilities,” said SafeLogic CEO Ray Potter. “Other sponsors with a vested interest should get in touch with SafeLogic to arrange their own donations, as we are administering contributions to directly fund both the hard and soft costs of the OpenSSL 1.1 FIPS Module project.”

For more information about the project, how to contribute or the future roadmap, please contact [email protected].

 

About SafeLogic
SafeLogic provides innovative encryption products for applications in mobile, server, and appliance environments. Our flagship product, CryptoComply™, provides drop-in FIPS 140-2 compliance with a common API across platforms, while our RapidCert process has revolutionized the way that FIPS 140-2 validations are earned. SafeLogic is privately held and is headquartered in Palo Alto, CA. For more information about SafeLogic, please visit www.SafeLogic.com.

 

About Oracle

The Oracle Cloud offers complete Software as a Service (SaaS) application suites for ERP, HCM and CX, plus best-in-class database Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) from data centers throughout the Americas, Europe and Asia. For more information about Oracle (NYSE:ORCL), please visit us at Oracle.com.

Trademarks
Oracle and Java are registered trademarks of Oracle and/or its affiliates. 

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Now, we come here to play Paw-ke Man Go!"
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6497
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
CVE-2018-18908
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...
CVE-2019-6496
PUBLISHED: 2019-01-20
The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows remote attackers to execute arbitrary code or cause a denial of service (block pool overflow) via malformed Wi-Fi packets during identification of available Wi-Fi networks. Exploitation of the Wi-Fi device can lead to exploitation of...
CVE-2019-3773
PUBLISHED: 2019-01-18
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-3774
PUBLISHED: 2019-01-18
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.