Multi-CA Capable OCSP Responder in OpenSSL

Greg McLearnCommon Criteria, Tools

At Lightship, we use a lot of open-source tools to perform our testing. Because of the nature of the tests we perform, we often find that these tools can be a bit too rigid. One specific example is that of the ocsp sub-tool provided in the apps directory of OpenSSL. In this blog post, we will describe the changes we made to the OCSP responder subtool and point to our implementation on github for your use and consideration.

Read More

Improving Product Security Through Protection Profiles

Greg McLearnCertifications, Common Criteria

It’s surprising to think that new-style Common Criteria Protection Profiles have been around in some way shape, or form, since late 2010, when the first Network Devices Protection Profile (NDPP) v1.0 was released by the Information Assurance Directorate (IAD) for use in the National Information Assurance Partnership (NIAP). The NDPP v1.0 was unique and represented a dramatic shift in policy and function for Common Criteria evaluations.

In this post, we will examine the positive effects that new-style protection profiles have had in product security over the last (almost) 10 years.

Read More

Comparing CAVP and ACVP – Test Harness Implications

Alex ThurstonACVP, Certifications, FIPS 140-2

As the legacy CAVP algorithm testing program is put to pasture and the newer automated testing program – ACVP takes its place, there are several questions, concerns and design considerations to think about. Foremost among them is how testing will work going forward and what it means for vendors and their existing implemented algorithm test harnesses.

One of the questions that often comes up here at Lightship is how does an existing test harness need to change to support the JSON formatted ACVP test vector sets and also to produce the needed response files. Because many vendors have an existing test harness based on the legacy program, they now have to redesign their harness for this new program which becomes mandatory on July 1, 2020.

Read More

What’s New in NDcPP v2.2?

Lachlan TurnerCertifications, Common Criteria

The Network Device international Technical Community recently (in December 2019) published version 2.2 of the collaborative Protection Profile for Network Devices – aka – NDcPP. The NDcPP is the most often used Common Criteria Protection Profile to achieve listing on the NIAP Product Compliant List (PCL).

NIAP are yet to formally endorse NDcPP v2.2 (UPDATE March 27, 2020: NIAP has now endorsed v2.2E which is basically the same as v2.2 but some front-matter changed) however it shouldn’t be too far off now – perhaps another month or so. With that in mind, it is useful to consider what has changed between v2.1 and v2.2 of the NDcPP. So, here are the main changes:

Read More

NIAP Requests for a Mitigation Plan

Lachlan TurnerCertifications, Common Criteria

Vendors with products on NIAP’s Common Criteria Product Compliant List (PCL) may from time-to-time receive a request from NIAP for a mitigation plan addressing a given widespread vulnerability (e.g. Meltdown, Spectre etc.). This is in keeping with NIAP Policy 17 which is intended to “ensure products receiving a NIAP Common Criteria certificate do not contain known vulnerabilities”.

Read More
birthday-birthday-so-what?

Happy Birthday – So What?

Jason LawlorLightship News, Uncategorized

Lightship Security is 4 years old this month.  Since our founding, we have remained steadfast in our commitment to building a strong, profitable and growing platform to support our international client base.   Why does this matter?  Given the recent churn in the product certification industry, including evolving standards and the shuttering of multiple long-standing labs, Vendors are more than ever looking for a stable, committed and technically capable certification partner going into the next decade.

 Lightship can be that partner:

Read More

Automated Algorithm Testing Tutorial

Jason LawlorACVP, FIPS 140-2

Lightship is ready to support our clients with their Automated Cryptographic Validation Program (ACVP) testing requirements. If you are curious about the program, here’s a short primer on how the process is going to work:

Contact us today to see how our custom automated test tools can smooth the transition to the new ACVP program.

Canada Open for EAL4

Lachlan TurnerCertifications, Common Criteria, Lightship News

The Canadian Centre for Cyber Security recently released its updated Common Criteria (CC) Program Instructions which state that they will consider accepting EAL3 and EAL4 evaluations on a case by case basis. Evaluations were previously restricted to those claiming an approved Protection Profile (PP) or EAL2.

Based on the updated instructions it’s clear that the Canadians want to make sure that there is a good business case for why they should deploy valuable resources to support a given EAL3/4 evaluation. This will include factors such as where the request for evaluation is coming from (i.e. Government of Canada, a Canadian critical infrastructure sector, or from another country), whether there is an applicable PP and whether the technology / evaluation will provide value to Canada.

Read More
startup50

Lightship named a Canadian Top New Growth Company

Jason LawlorLightship News

Canadian Business and Maclean’s today ranked Lightship Security No. 31 on the 2019 Startup 50 ranking of Canada’s Top New Growth Companies. Serving as a companion list to the longstanding Growth 500 ranking of Canada’s Fastest-Growing Companies and produced by Canada’s premier business and current affairs media brands, the Startup 50 ranks younger companies on two-year revenue growth. Lightship Security made the 2019 Startup 50 list with two-year revenue growth of 529%.

Read the full press release here.

This award is a great validation of our team, strategy and ability to execute. As an independently owned organization trying to disrupt a mature market, we are excited how the industry is embracing our modernized, automated process that is resulting in better, faster outcomes for our clients.

Lightship Security is an independently owned, ISO 17025 accredited cybersecurity laboratory specializing in standards based product security testing. We have offices in Ottawa, Vancouver and Austin, Texas which serve a growing global client base.

OpenSSL and ACVP Parsing

Greg McLearnACVP, FIPS 140-2, Tools

OpenSSL is used in some part by an overwhelmingly large percentage of the enterprise vendor community. Those vendors which need to go through FIPS 140-2 or Common Criteria may find themselves needing to perform algorithm testing and may be presented with only being able to interact with the new ACVP-formatted test cases. Below, we talk about some practical options available to those vendors who have not yet bridged the gap.

Read More