OpenSSL and ACVP Parsing

Greg McLearn ACVP, FIPS 140-2, Tools

OpenSSL is used in some part by an overwhelmingly large percentage of the enterprise vendor community. Those vendors which need to go through FIPS 140-2 or Common Criteria may find themselves needing to perform algorithm testing and may be presented with only being able to interact with the new ACVP-formatted test cases. Below, we talk about some practical options available to those vendors who have not yet bridged the gap.

Read More

Cyber Security Test Lab 2.0

Jason Lawlor Certifications, Uncategorized

Product certification providers like Lightship have been relatively insulated from the pace of change that other industries have been forced to adapt to over the past several years.

That is no longer the case.  Increasingly technical, prescriptive test requirements, product complexity and new assurance demands mandated by governments mean that product certification labs are being forced to evolve and adapt.

Read More

Game of Certifications: A Song of Common Criteria Requirements

Alex Thurston Certifications, Common Criteria

If you’ve ever spent any amount of time delving into the world of Common Criteria (CC), you’ve no doubt come across the veritable Roman/biblical hierarchy of relationships between the various components.  At times, it would make even Cersei Lannister blush.  In support of the CC automation we are doing at Lightship Security, I took on the daunting task of modelling this complex family tree in software. Here’s what I learned about who begat whom in the family tree of CC requirements.

Read More

Ottawa’s Fastest Growing Companies – #2 for 2019

Jason Lawlor Lightship News

Lightship Security has been named as Ottawa’s second Fastest Growing Company for 2019.

Every year the Ottawa Business Journal (OBJ) recognizes 10 regional companies for their substantial, sustainable, and profitable growth. 

Fueled by an industry first automated approach to product security certification, we have bootstrapped our way to substantial growth over a three-year period to earn the 2019 award.

Lightship’s mission to modernize the legacy approach to 3rd party product security certifications (like Common Criteria) through our automated test platform, Greenlight is proving a key differentiator and driver of sales growth. Our approach dramatically eliminates the risk of certification delays, product re-development and reduces time to market for a growing list of international clients.

Read More

Understanding the Scope of NDcPP Evaluations

Greg McLearn Common Criteria

When first exposed to the Network Device collaborative Protection Profile (NDcPP), vendors are often surprised by the extremely narrow scope. It is critical to realize that the Protection Profile (PP) refers to an abstract “network device” with required functionality that should appear in any good network citizen. It doesn’t look to any specific vendor or technology type. Rather, the PP refers to the minimalist ideal of security-relevant functionality focused almost entirely on how security administrators interface and interact with the device.

Read More

Challenges in Fuzzing RFC 1149

Greg McLearn Common Criteria, Humour

Conan Hoye and Greg McLearn contributed to this article.

At Lightship, we test a lot of NDcPP-compliant products. As part of those evaluations, we are required, as per Appendix A in the Supporting Document, to perform network fuzzing against the in-scope IP networking stacks. Recently we had a rather unique TOE which claimed conformance against RFC 1149 for one of their remote management interfaces.

Read More

NDcPP v2.1 endorsed by NIAP but which TDs apply?

Lachlan Turner Certifications, Common Criteria

[March 14, 2019 update] The NIAP list of TDs is now up to date with NDcPP v2.1 attribution.

NIAP announced their endorsement today of version 2.1 of the Network Device collaborative Protection Profile. We’ve previously described the changes in NDcPP v2.1. In this post, we look at which NIAP Technical Decisions (i.e. interpretations / minor edits) will still apply to this new version.

Read More

NDcPP – Are You A Good Network Citizen?

Jason Lawlor Certifications, Common Criteria

Vendors undertaking a Common Criteria project for the first time are often surprised by the scope and focus of the testing for a Network Devices collaborative Protection Profile (NDcPP) CC evaluation. Lightship’s Technical Director, Greg McLearn often refers to the testing involved in the NDcPP as “ensuring that the product is a good network citizen”. This is the NDcPP philosophy.

Read More

What’s changed since NDcPP v1.0?

Lachlan Turner Certifications, Common Criteria

[March 12, 2019 Update] NDcPPv2.1 has been formally endorsed by NIAP.

There are 41 products listed on the NIAP PCL that are compliant with the collaborative Protection Profile for Network Devices (NDcPP) v1.0.  These PCL listings will all expire within the next year or so. What can these vendors expect when updating their certifications from NDcPP v1.0 to NDcPP v2.0e? In this post, we examine the changes that have occurred to the NDcPP to help answer this question.

Read More