NIAP Requests for a Mitigation Plan

Lachlan Turner Certifications, Common Criteria

Vendors with products on NIAP’s Common Criteria Product Compliant List (PCL) may from time-to-time receive a request from NIAP for a mitigation plan addressing a given widespread vulnerability (e.g. Meltdown, Spectre etc.). This is in keeping with NIAP Policy 17 which is intended to “ensure products receiving a NIAP Common Criteria certificate do not contain known vulnerabilities”.

Read More

Happy Birthday – So What?

Jason Lawlor Lightship News, Uncategorized

Lightship Security is 4 years old this month.  Since our founding, we have remained steadfast in our commitment to building a strong, profitable and growing platform to support our international client base.   Why does this matter?  Given the recent churn in the product certification industry, including evolving standards and the shuttering of multiple long-standing labs, Vendors are more than ever looking for a stable, committed and technically capable certification partner going into the next decade.

 Lightship can be that partner:

Read More

Automated Algorithm Testing Tutorial

Jason Lawlor ACVP, FIPS 140-2

Lightship is ready to support our clients with their Automated Cryptographic Validation Program (ACVP) testing requirements. If you are curious about the program, here’s a short primer on how the process is going to work:

Contact us today to see how our custom automated test tools can smooth the transition to the new ACVP program.

Canada Open for EAL4

Lachlan Turner Certifications, Common Criteria, Lightship News

The Canadian Centre for Cyber Security recently released its updated Common Criteria (CC) Program Instructions which state that they will consider accepting EAL3 and EAL4 evaluations on a case by case basis. Evaluations were previously restricted to those claiming an approved Protection Profile (PP) or EAL2.

Based on the updated instructions it’s clear that the Canadians want to make sure that there is a good business case for why they should deploy valuable resources to support a given EAL3/4 evaluation. This will include factors such as where the request for evaluation is coming from (i.e. Government of Canada, a Canadian critical infrastructure sector, or from another country), whether there is an applicable PP and whether the technology / evaluation will provide value to Canada.

Read More

Lightship named a Canadian Top New Growth Company

Jason Lawlor Lightship News

Canadian Business and Maclean’s today ranked Lightship Security No. 31 on the 2019 Startup 50 ranking of Canada’s Top New Growth Companies. Serving as a companion list to the longstanding Growth 500 ranking of Canada’s Fastest-Growing Companies and produced by Canada’s premier business and current affairs media brands, the Startup 50 ranks younger companies on two-year revenue growth. Lightship Security made the 2019 Startup 50 list with two-year revenue growth of 529%.

Read the full press release here.

This award is a great validation of our team, strategy and ability to execute. As an independently owned organization trying to disrupt a mature market, we are excited how the industry is embracing our modernized, automated process that is resulting in better, faster outcomes for our clients.

Lightship Security is an independently owned, ISO 17025 accredited cybersecurity laboratory specializing in standards based product security testing. We have offices in Ottawa, Vancouver and Austin, Texas which serve a growing global client base.

OpenSSL and ACVP Parsing

Greg McLearn ACVP, FIPS 140-2

OpenSSL is used in some part by an overwhelmingly large percentage of the enterprise vendor community. Those vendors which need to go through FIPS 140-2 or Common Criteria may find themselves needing to perform algorithm testing and may be presented with only being able to interact with the new ACVP-formatted test cases. Below, we talk about some practical options available to those vendors who have not yet bridged the gap.

Read More

Cyber Security Test Lab 2.0

Jason Lawlor Certifications, Uncategorized

Product certification providers like Lightship have been relatively insulated from the pace of change that other industries have been forced to adapt to over the past several years.

That is no longer the case.  Increasingly technical, prescriptive test requirements, product complexity and new assurance demands mandated by governments mean that product certification labs are being forced to evolve and adapt.

Read More

Game of Certifications: A Song of Common Criteria Requirements

Alex Thurston Certifications, Common Criteria

If you’ve ever spent any amount of time delving into the world of Common Criteria (CC), you’ve no doubt come across the veritable Roman/biblical hierarchy of relationships between the various components.  At times, it would make even Cersei Lannister blush.  In support of the CC automation we are doing at Lightship Security, I took on the daunting task of modelling this complex family tree in software. Here’s what I learned about who begat whom in the family tree of CC requirements.

Read More

Ottawa’s Fastest Growing Companies – #2 for 2019

Jason Lawlor Lightship News

Lightship Security has been named as Ottawa’s second Fastest Growing Company for 2019.

Every year the Ottawa Business Journal (OBJ) recognizes 10 regional companies for their substantial, sustainable, and profitable growth. 

Fueled by an industry first automated approach to product security certification, we have bootstrapped our way to substantial growth over a three-year period to earn the 2019 award.

Lightship’s mission to modernize the legacy approach to 3rd party product security certifications (like Common Criteria) through our automated test platform, Greenlight is proving a key differentiator and driver of sales growth. Our approach dramatically eliminates the risk of certification delays, product re-development and reduces time to market for a growing list of international clients.

Read More

Understanding the Scope of NDcPP Evaluations

Greg McLearn Common Criteria

When first exposed to the Network Device collaborative Protection Profile (NDcPP), vendors are often surprised by the extremely narrow scope. It is critical to realize that the Protection Profile (PP) refers to an abstract “network device” with required functionality that should appear in any good network citizen. It doesn’t look to any specific vendor or technology type. Rather, the PP refers to the minimalist ideal of security-relevant functionality focused almost entirely on how security administrators interface and interact with the device.

Read More