Once you have spent the time and money to pursue a security validation, you’re all done, right? Well, not exactly. However, the good news is that it isn’t hard or expensive to maintain your validation.
For most security validations, the validation applies to a specific version of hardware and software. At the beginning of your evaluation you must choose which versions of your product you are taking through the validation process.
Your customers are asking for your product to go through a security validation. You have begun evaluating your options, have started to develop a strategy, and have decided that this is not a task you can handle on your own. Your first step will be to talk to an expert consultant.
But how do you choose one?
We have completed another marathon week in San Francisco at the annual RSA Data Security Conference. For many in our industry, Corsec included, this conference continues to be an important place to gain new insights, visit with customers and partners, and attend meaningful talks.
You may have heard about the new interpretation of the mandatory requirement in Section 9.5 of the Implementation Guidance (IG) document, a key component of FIPS 140-2 documentation issued by the Cryptographic Module Validation Program (CMVP). This interpretation is causing conflicts with the architecture of the OpenSSL validations and how OpenSSL’s validation applies to customers using their software.