Can Software Security Be Certified?


By Alex Salkever These are busy days at InfoGard Labs. The San Luis Obispo (Calif.) outfit is one of only six info-tech laboratories in the U.S. and Canada allowed to issue a government seal of approval known as FIPS compliance. FIPS stands for Federal Information Processing Standard, a rigorous set of criteria established by groups of government and private-sector experts on cryptography standards and implementations.

Starting in July, 2002, FIPS 140-2 standards became mandatory, replacing the older FIPS 140-1 rules. (Both the newer and older versions encompass four levels of security, with level one being the most lenient and level four the most stringent.) Every company seeking to sell encryption software to the federal government or to do business with Uncle Sam involving computers and encryption has to use equipment that holds a FIPS 140-2 compliance rating. We're not talking just spookware. Once the strictly the province of military and intelligence communities, encryption is now common in everything from e-mail and instant-messaging software to databases.

At the same time, federal laws covering privacy requirements in banking and health care have mandated that more data be encrypted. The steady rise of cyberattacks has likewise made enhanced encryption a priority for business in general. And the rise of the Internet has in many cases forced FIPS compliance on seemingly benign systems, such as automated procurement software, that talk to federal computers.

LONG OVERDUE. Perhaps the most instrumental factor driving the rise in FIPS certifications, however, is market demand. "One of the big things that started 18 months ago was many more of our customers were coming to us to have validations for a marketing reason rather than because they were selling to the federal government," says Tom Caddy, InfoGard's test lab manager.

That's a good sign. Third-party verification and the imposition of basic encyrption standards are long overdue in the often-footloose security software field. "I view a FIPS 140 level-one or -two certification as an indication that someone with a moderate degree of skill has looked over the design. This generally means that the product doesn't have huge and obvious top-level design flaws, whereas many uncertified products do," says Paul Kocher, president of Cryptography Research, a San Francisco software-testing and -design company that specializes in crytopgraphy.

The FIPS standard is perhaps the most rigorous test around and, according to InfoGard, always entails a learning curve for software companies seeking certification. Software and security engineers at one of the six labs specializing in FIPS pore over a product's documentation to ensure that the initial design and planning phase complied. Invariably, this means teaching a company's product engineers to think in FIPS-speak. "We spend quite a bit of time on every new customer just performing training," says Ken Kolstad, director of operations at InfoGard.

LENGTHY PROCESS. Next, the FIPS engineers will study the basic code of the cryptographic module looking for underlying security flaws that could leave the module open to being compromised. Finally, the FIPS engineers put the product through its paces in a testing lab to make sure all the cryptographic elements perform as promised.

The whole process takes anywhere from 4 to 10 weeks, says Caddy, and costs the applicants from $20,000 to $40,000. Hardly anyone gets through unscathed. "We rarely see a product come to us that's compliant," says InfoGard's Kolstad. That hasn't stopped companies from banging on the door. According to Caddy, the total number that have received FIPS certifications has soared. From 1995 to 1997, 12 companies were certified, but just last year alone, 69 qualified.

Of course, FIPS certification doesn't confer total protection from hacker attacks -- something InfoGard readily concedes. In fact, some folks in the security field remain lukewarm toward the whole certification process. Bruce Schneier, a noted cryptographic expert and chief technology officer at Counterpane Internet Security in Cupertino, Calif., never considers certifications before buying a product. "Primarily, certification is a marketing tool," he says.

HACKER DRONES. Cryptography Research's Kocher feels that the current system, while a good start, has a key flaw: "The problem is that the testing companies make money by certifying products, not catching problems." Some might cut corners by relying heavily on automated attack programs to test products rather than live computer engineers. Automated software is a good baseline approach, but it falls far short of cunning humans hammering away at systems.

Certification labs counter that by saying they have to do a good job, or else their seal will mean nothing. "We jealously guard the integrity of that seal and what it stands for," says Leo Pluswick, technology program manager at ICSA Labs. A leading private company that performs software certifications to its own standard (rather than to the federal FIPS guidelines), ICSA is a subsidiary of Dulles (Va.) computer-security-services company TruSecure. Pluswick also claims that certifcation testing is priced low enough to emphasize participation over profits.

For companies such as firewall maker SyGate, an ICSA certification or a FIPS certification is a good investment. "The initial reason we pursued certification was a customer inquiry. They wanted third-party, independent verification," says Babak Salimi, director of product development for the Fremont (Calif.) software company.

LESS LENIENT. Still, Kocher and others envision a certification system more akin to the Insurance Institute for Highway Safety, the famous crash-test think-tank funded by auto insurers. "I think someday we'll see evaluation processes that are market-based, where certifications might be paid for by insurers," says Kocher. "This would eliminate the pressure on labs to satisfy their customers by being lenient and would provide market-based incentives to prevent problems."

That's a good idea -- and it may become reality soon, since cyber-insurance is likely to become de rigeur for companies operating in the Digital Age. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column


The Good Business Issue
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus