March 2013 | SafeLogic

Archive for March, 2013

27 Mar 2013

If Time Equals Money…

Last week, we eulogized the Private Label program from the OpenSSL Software Foundation, but we promised to explain why we aren’t really upset.  Those reasons are led by concerns surrounding timeline.

Traditionally, it has taken a year or more to complete a FIPS 140-2 validation. In fact, we’ve personally seen validations take 16 months.  In that time, you could miss out on a lot of potential revenue.  When FIPS validation is a requirement, your buyers’ hands are tied and your technical features and competitive advantages are moot.  Customers will select another product rather than wait a year.

Why does it take so long?  It can take a couple of months to gather the information to document your crypto module.  Then, an accredited testing lab takes another few months to check the evidence and run their tests.  Their test report is sent to the Cryptographic Module Validation Program (CMVP).  Waiting for an available CMVP certifier to review the report can take several more months.  Finally, the certifier will ask some questions of the testing lab before finally approving the validation, assuming that the responses are satisfactory.  Each step has unique bottlenecks and the process is extremely impacted from end to end.  As you can imagine, any issues could easily incur setbacks measured in weeks, not days.  To top it all off, that didn’t even factor in the time your team spent installing and testing the crypto module in the first place.

Integrating CryptoComply into your application gives you an instantly compliant solution because CryptoComply already has a FIPS 140-2 validation. Along with the crypto library software, SafeLogic has developed tools and documentation to make integrating CryptoComply into your mobile and server applications easier and quicker.

The net result is that by using SafeLogic’s validated encryption module, your compliance can be verified, so customer responses are extremely positive.  Buyers with a FIPS 140-2 requirement can begin a pilot program immediately, opening many sales opportunities while your competitors are waiting in the CMVP queue.

If you choose to pursue a FIPS validation certificate, the initial steps are accelerated thanks to CryptoComply’s ease of installation.  Not only that, but customers can proceed in good faith, knowing that your product is already verifiable as compliant.  This keeps your sales from grinding to a halt while the CMVP completes the process.

If you are in this category and a FIPS certificate is in your future, be sure to read next week’s post, discussing how RapidCert can slash the timeline even further!

19 Mar 2013

Farewell, Private Label

Now that the OpenSSL Software Foundation (OSF) has announced that they have halted their “private label” program and have no future plans for continuing their own FIPS 140 validations, what are application developers supposed to do?  OpenSSL is one of the most popular open source tools used by developers to provide TLS/SSL functions, as well as lower-level cryptographic functions, so this news is very concerning for a lot of companies.

Luckily, our timing to launch was excellent, as SafeLogic’s CryptoComply picks up where OSF left off. CryptoComply is a FIPS 140-2 validated cryptographic software module compatible with OpenSSL, replacing the low-level (libcrypto) libraries.  By integrating CryptoComply into your OpenSSL implementation, you get a “drop-in” FIPS 140-2 compliant solution.  Also, since OpenSSL is used in other security solutions such as OpenVPN, OpenSSH, and Apache Tomcat, you can easily make these communication functions FIPS compliant as well.

So yes, it’s unfortunate that the OSF has ended their “private label” validations, but don’t worry.  Over the next few weeks, we will demonstrate in this blog how SafeLogic’s products can surpass your expectations of both cost and timeline.

If you just can’t wait for the next blog post, contact SafeLogic immediately and we’ll get you up to speed.

14 Mar 2013

Let’s Discuss Compliance and Encryption in ICS

I’m pretty excited to be the headliner for the Industrial Control System Information Sharing and Analysis Center monthly briefing on Wednesday, March 20th.

Scratch that – I’m very excited!

The ICS-ISAC is a vital cog in the collaboration of cybersecurity information, sharing the knowledge base with vertical ISACs and impacted parties, particularly the eighteen reliant sectors of the national Critical Infrastructure and Key Resources, as segmented by Homeland Security.

I hope to shed some light on the issues facing industrial control systems today that can be addressed with security controls and the application of encryption technology. These are non-trivial challenges, including how to deal with the influx of mobile devices, the need for secure remote access to systems and infrastructure, and compliance gaps in FAA communications. I’ll present use cases in several sectors, as well as my opinions about aligning security solutions with compliance and how to achieve both without compromise.

I’m also looking forward to hearing about the participants’ experience dealing with crypto in the ICS space. It should be an interesting, open discussion.

The webinar will also feature the monthly update from ICS-ISAC Chair Chris Blask, so don’t miss it.

Join us on Wednesday, March 20, 2013 at 10:00 AM Pacific.
Register here.


11 Mar 2013

On the Recent CMVP Implementation Guidance

We started SafeLogic to bring a strong cryptographic module to market that meets requirements for regulated environments. One of our main goals with CryptoComply is to ensure consistent compliance to evolving standards, including FIPS 140-2 and its Implementation Guidance. Implementation Guidance provides clarifications or refinements to requirements in the FIPS 140-2 standard.

Just before our official launch last week, the OpenSSL Software Foundation (OSF) issued a statement on recent guidance from CMVP that sent a ripple through the community.

The OSF summarized the impact of this guidance rather well:

This new interpretation requires that none of the function calls in our cryptographic library can return useful information until after the POST is performed. It also requires that this restriction must be enforced in the module, that is in the cryptographic library itself, and not merely stated as a condition to be satisfied by the calling application.

OpenSSL Software Foundation

The second part is the crux of the issue. In the past, this could be met by procedural guidance and policy. But now, modules must enforce this operation. The OSF memo essentially paints an understandably bleak picture of OSF’s current and future plans for addressing FIPS 140, and it’s of considerable concern to product vendors implementing OpenSSL and trying to obtain FIPS 140-2 validation.

What’s a product developer to do?

There might be procedural work-arounds and creative approaches to defining a new boundary, but frankly, both are met with risks of increased cost, time, and engineering commitment.

I’ll offer a simpler solution: SafeLogic’s CryptoComply. It meets the requirements of FIPS 140 and this new Implementation Guidance. No risky “creative” approaches, and no larger boundary definition that requires you to revalidate more often. Just out-of-the-box compliance.

If you are running OpenSSL, contact us. We’re directly compatible, and our tools and scripts will get you going quickly. Drop it in, and move on to the next critical feature on your product roadmap.


6 Mar 2013

Announcing SafeLogic

Hello everyone!

Thank you for being here and checking out the site. I’m very happy to be writing this post!

I’m proud to announce the launch of SafeLogic Inc. and our flagship product, CryptoComply. We have been working for over a year building something that is really exciting and much needed. Since founding Apex Assurance Group eight years ago and running the certifications program at Cisco Systems for several years before that, I’ve seen so many challenges that vendors consistently face, not only implementing cryptographic solutions, but also having them validated for compliance. As a result, we got to work building software, tools, and services to directly address those pain points.

Even though we’re officially just launching, our product is complete and in the market. CryptoComply has been fully tested by an independent lab and is already in use by top security and networking companies for their mobile applications and enterprise software. We’re featured in security gear being deployed into DISA/DoD. We’re licensed by a very hot startup securing mobile and server traffic. We’re providing control plane encryption for one of the leading mobile app management solutions on the market. We’re encrypting session traffic in a major networking vendor’s mobile VPN client.

These vendors looked at the traditional players in the space and chose SafeLogic for our robust tool set, ease of integration, and solid support. But it doesn’t end there.

The validation and compliance piece is where we really nailed it. While CryptoComply offers instant “drop-in” compliance with Suite B and FIPS 140, we offer the RapidCert program to dramatically reduce engineering effort and time to FIPS validation. No other crypto library vendor knows FIPS like we do. Period.

Stay tuned for more announcements of other very cool things in the near future. And to our customers, advisors, partners, and friends… THANK YOU!

Best regards,

Ray Potter
CEO, Co-founder