SlideShare a Scribd company logo

Brickman-Brunette 2015-ICMC

Joshua Brickman, PMP
Joshua Brickman, PMP

This document summarizes a presentation given by two Oracle employees on the challenges faced by vendors and customers due to frequent changes in cryptographic standards and policies. It discusses issues such as a lack of understanding of complex compliance requirements, difficulty keeping products validated as rules change, and the need for more collaboration between standards bodies and industry to resolve problems. The presenters provide recommendations such as forming a technical community to address issues and allowing more time for industry feedback before new requirements take effect.

1 of 24
Download to read offline
Collateral Damage Joshua Brickman Director, Security Evaluations Oracle Global Product Security November 6, 2015 Glenn Brunette Distinguished Security Architect Oracle Global Product Security Impact of Frequent Policy Changes on Vendors and Customers
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 2 Today’s Speakers • 25 Years Information Security Experience • 16 Years with Oracle (incl. 11 Years with Sun) • Customer Security Compliance Focus Glenn Brunette • Leads Security Evaluations @ Oracle • Frequent Speaker at Security Conferences • Completed Many Cert. Projects since 2006 Josh Brickman
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Session Agenda Background Customer Experiences Vendor Challenges Recommendations Q&A 1 2 3 4 5 3
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Background • 132,000 Employees – 36,000 Developers and Engineers • 1,000s of Products and Services – #1 in 50 product/industry categories – #2 software company in the world – #2 cloud company in the world • 400,000 Customers – Across 145 Countries 4 Oracle
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Background • Validating Oracle Developed Modules – e.g., Oracle Solaris Cryptographic Framework, Oracle StorageTek T10000 Tape Drives, Java Card Platform, Acme Packet Session Border Controller • Leveraging Third-Party Validated Modules (“FIPS Inside”) – RSA BSAFE Crypto-C Micro-Edition – RSA BSAFE Crypto-J – OpenSSL • Many Products Contain Multiple Modules 5 Oracle and FIPS 140
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Customer Pain Points 6 Comparing Apples and Oranges Education and Awareness Operational Decisions
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Education and Awareness • FIPS 140 Approved vs. Validated – Complicated Landscape to the “Outsider” – e.g., FIPS 197, NIST 800-38A, CAVP/CMVP Lists, IG • Degree of Algorithm Specificity – “Encrypted” versus “AES” versus “AES-256-CTR” • Module vs. Product Validation – Is “Oracle WebLogic” FIPS 140 validated? • FIPS Inside vs. Vendor Validations – “I checked the CMVP site and you are not listed.” 7
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Comparing Apples and Oranges 8 • Module Versioning != Product Versioning – Especially challenging with “FIPS Inside” – Module versioning can be somewhat arbitrary – Specificity of product versioning can also be challenging • Mapping Product Cryptography to Modules – Products may not validate every cryptographic module – “What underlying module provides a given cryptographic service or function?” • Cryptography in “Nested Products” – Satisfying compliance documentation mandates can get tricky...
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Operational Considerations • Understanding Requirements Scope – Data at Rest? Data in Transit? Business versus Management/Operations Uses? • Ill-advised “Workarounds” – Avoid using cryptography • Lack of Organizational Expertise – Keeping up is somewhat predicated on already “being up to speed”? – FIPS 140 requires a broad and diverse organizational understanding 9
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Customer Experiences Summary 10 Lack of Understanding Inconsistent Application Reduction in Security FIPS PUB 140-2 May 25, 2001
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Changes are Coming It’s been a long time coming But I know a change is gonna come, oh yes it will, 11 --Sam Cooke, A Change is Gonna Come, 1964
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Wants • NIST/CMVP want the strongest crypto now for their customers • Vendors want the strongest crypto for their customers (with the least performance impact) • Customers want the highest security for acquired products for the lowest price SO WHAT’S THE PROBLEM? 12
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | The Shampoo Algorithm 13 Lather, Rinse, Repeat
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | NIST/CMVP issues draft guidance Industry and Labs read, respond and provide feedback Draft becomes final CMVP Guidance: is it following the Shampoo Algorithm? 14 Lather/Rinse Repeat But we never get to a place where we are working together
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #1) 2007 • NIST SP 800-38D published • Two IG’s issued 2009 • IG A.5 Key/IV Pair Uniqueness Requirements • External IV generation is not allowed for CMVP (allowed for CAVP) 2015 • IG A.5 Overhauled • IG effective immediately (no grandfathering) 15 AES-GCM IV Generation
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #1) 1. When the new IG was issued we immediately dropped all ongoing work to analyze the new IG 2. Oracle wrote up a proposal to mitigate the impact of the new IG while still meeting the spirit of the IG. We sent it on to the CMVP 3. While waiting for a response CMVP came out with another IG 4. On August 7th the new IG became effective immediately. Oracle never heard back on our proposal 16 Oracle’s reaction (one product)?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #2) 17 Entropy • In 2012 NIST releases two draft Special Publications (SP 800-90 b and c (for comment)) • Comments are collected but the SP is never finalized • August 2015, IG 7.15 published, effective immediately (no grandfathering) New requirements for Entropy Assessment for labs • 3rd party components provide certain functionality (for example to improve performance or provide a source of entropy). • Most vendors have no ability to test or assess the entropy provided
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #2 cont.) 18 Oracle’s reaction (An Oracle product) 1. Oracle product gets entropy from a 3rd party 2. The status of the project at the time of release of IG was “Under Review” 3. Oracle has no ability to provide detailed design information as the 3rd party is unwilling to share with Oracle 4. Oracle also volunteered to the CMVP available information on entropy that was accepted by CMVP for previous validations 5. Oracle asked for and received a waiver* *For the next project we may not get a waiver. With better transition planning CMVP won’t be getting all these requests for waivers
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Recommendations 19 <Or how to get out of the Shampoo Algorithm>
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Recommendations • Form a Technical Community (CMUF working with CMVP)! – Take a page from NIAP or the CCRA and work together to solve problems – Take advantage of the vast resources of industry – Create one for IG – One for FIPS 140-4 etc – Instead of throwing IG’s over the wall, work together to come up with consensus • Timing – When IG’s are released, give industry time to react! – Every reactive response to IG is less time for industry to build product and fix bugs 20 (or How to get out of the shower)
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Recommendations (and while were on the topic) • It’s high time that NIAP and NIST go back to being a partnership (still too much overlap-- see Entropy) • Negotiate with other crypto schemes to see if any mutual recognition can be negotiated • NIST: Lets add a “FIPS Inside”List (maybe voluntary?) 21 Collaborate
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Josh Brickman joshua.brickman@oracle.com Glenn Brunette glenn.brunette@oracle.com Oracle Confidential – Internal/Restricted/Highly Restricted 22 Questions? Shampoo Advice?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 23
Brickman-Brunette 2015-ICMC

Recommended

Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
Gene Gotimer
 
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the EnterpriseHIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
AdaCore
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
Bitbar
 
Beyond JIRA: When Issue Tracking Alone Isn't Enough
Beyond JIRA: When Issue Tracking Alone Isn't Enough Beyond JIRA: When Issue Tracking Alone Isn't Enough
Beyond JIRA: When Issue Tracking Alone Isn't Enough
Perforce
 
Leading the Transformation: Stories from the Trenches
Leading the Transformation: Stories from the TrenchesLeading the Transformation: Stories from the Trenches
Leading the Transformation: Stories from the Trenches
DevOps.com
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development Environment
Bitbar
 
The Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast ComplianceThe Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast Compliance
Perforce
 
The Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraThe Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest Mentora
SOASTA
 

Recommended

Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
Gene Gotimer
 
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the EnterpriseHIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
AdaCore
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
Bitbar
 
Beyond JIRA: When Issue Tracking Alone Isn't Enough
Beyond JIRA: When Issue Tracking Alone Isn't Enough Beyond JIRA: When Issue Tracking Alone Isn't Enough
Beyond JIRA: When Issue Tracking Alone Isn't Enough
Perforce
 
Leading the Transformation: Stories from the Trenches
Leading the Transformation: Stories from the TrenchesLeading the Transformation: Stories from the Trenches
Leading the Transformation: Stories from the Trenches
DevOps.com
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development Environment
Bitbar
 
The Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast ComplianceThe Best of Both Worlds: Agile Development and Fast Compliance
The Best of Both Worlds: Agile Development and Fast Compliance
Perforce
 
The Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraThe Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest Mentora
SOASTA
 
Automating Test Maintenance
Automating Test MaintenanceAutomating Test Maintenance
Automating Test Maintenance
Inflectra
 
Agile Adoption Story in LGE (Aps2010)
Agile Adoption Story in LGE (Aps2010)Agile Adoption Story in LGE (Aps2010)
Agile Adoption Story in LGE (Aps2010)
Woogon Shim
 
Testing In Production (TiP) Advances with Big Data & the Cloud
Testing In Production (TiP) Advances with Big Data & the CloudTesting In Production (TiP) Advances with Big Data & the Cloud
Testing In Production (TiP) Advances with Big Data & the Cloud
SOASTA
 
Upfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkUpfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdk
Narendran Solai Sridharan
 
The Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of ViewThe Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of View
Bitbar
 
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality PracticesProactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
XBOSoft
 
Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecAdopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSec
Tapabrata Pal
 
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
Jennifer Finney
 
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major EventsO'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
SOASTA
 
Get Ready for Changes To Load Testing
Get Ready for Changes To Load Testing Get Ready for Changes To Load Testing
Get Ready for Changes To Load Testing
SOASTA
 
ITAM Review Oracle Seminar
ITAM Review Oracle Seminar ITAM Review Oracle Seminar
ITAM Review Oracle Seminar
Martin Thompson
 
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppDynamics
 
Automate More with Selenium for your RWD
Automate More with Selenium for your RWDAutomate More with Selenium for your RWD
Automate More with Selenium for your RWD
Perfecto by Perforce
 
Agile Load Testing In The Real World
Agile Load Testing In The Real WorldAgile Load Testing In The Real World
Agile Load Testing In The Real World
SOASTA
 
Continuous Integration for Mobile App Testing
Continuous Integration for Mobile App TestingContinuous Integration for Mobile App Testing
Continuous Integration for Mobile App Testing
Infostretch
 
Continuous Testing
Continuous TestingContinuous Testing
Continuous Testing
SOASTA
 
Better Governance Banking on Continuous Delivery
Better Governance Banking on Continuous DeliveryBetter Governance Banking on Continuous Delivery
Better Governance Banking on Continuous Delivery
Tapabrata Pal
 
Puppet Labs EMC DevOps Day NYC Aug-2015
Puppet Labs EMC DevOps Day NYC Aug-2015Puppet Labs EMC DevOps Day NYC Aug-2015
Puppet Labs EMC DevOps Day NYC Aug-2015
Bob Sokol
 
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
CA Technologies
 
CI/CD for mobile at HERE
CI/CD for mobile at HERECI/CD for mobile at HERE
CI/CD for mobile at HERE
Stefan Verhoeff
 
Waiter, there's a fly in my code
Waiter, there's a fly in my codeWaiter, there's a fly in my code
Waiter, there's a fly in my codeJoshua Brickman, PMP
 
Pgweb.hcw.joana oliveira
Pgweb.hcw.joana oliveiraPgweb.hcw.joana oliveira
Pgweb.hcw.joana oliveira
Joana Oliveira
 

More Related Content

What's hot

Automating Test Maintenance
Automating Test MaintenanceAutomating Test Maintenance
Automating Test Maintenance
Inflectra
 
Agile Adoption Story in LGE (Aps2010)
Agile Adoption Story in LGE (Aps2010)Agile Adoption Story in LGE (Aps2010)
Agile Adoption Story in LGE (Aps2010)
Woogon Shim
 
Testing In Production (TiP) Advances with Big Data & the Cloud
Testing In Production (TiP) Advances with Big Data & the CloudTesting In Production (TiP) Advances with Big Data & the Cloud
Testing In Production (TiP) Advances with Big Data & the Cloud
SOASTA
 
Upfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkUpfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdk
Narendran Solai Sridharan
 
The Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of ViewThe Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of View
Bitbar
 
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality PracticesProactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
XBOSoft
 
Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecAdopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSec
Tapabrata Pal
 
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
Jennifer Finney
 
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major EventsO'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
SOASTA
 
Get Ready for Changes To Load Testing
Get Ready for Changes To Load Testing Get Ready for Changes To Load Testing
Get Ready for Changes To Load Testing
SOASTA
 
ITAM Review Oracle Seminar
ITAM Review Oracle Seminar ITAM Review Oracle Seminar
ITAM Review Oracle Seminar
Martin Thompson
 
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppDynamics
 
Automate More with Selenium for your RWD
Automate More with Selenium for your RWDAutomate More with Selenium for your RWD
Automate More with Selenium for your RWD
Perfecto by Perforce
 
Agile Load Testing In The Real World
Agile Load Testing In The Real WorldAgile Load Testing In The Real World
Agile Load Testing In The Real World
SOASTA
 
Continuous Integration for Mobile App Testing
Continuous Integration for Mobile App TestingContinuous Integration for Mobile App Testing
Continuous Integration for Mobile App Testing
Infostretch
 
Continuous Testing
Continuous TestingContinuous Testing
Continuous Testing
SOASTA
 
Better Governance Banking on Continuous Delivery
Better Governance Banking on Continuous DeliveryBetter Governance Banking on Continuous Delivery
Better Governance Banking on Continuous Delivery
Tapabrata Pal
 
Puppet Labs EMC DevOps Day NYC Aug-2015
Puppet Labs EMC DevOps Day NYC Aug-2015Puppet Labs EMC DevOps Day NYC Aug-2015
Puppet Labs EMC DevOps Day NYC Aug-2015
Bob Sokol
 
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
CA Technologies
 
CI/CD for mobile at HERE
CI/CD for mobile at HERECI/CD for mobile at HERE
CI/CD for mobile at HERE
Stefan Verhoeff
 

What's hot (20)

Automating Test Maintenance
Automating Test MaintenanceAutomating Test Maintenance
Automating Test Maintenance
 
Agile Adoption Story in LGE (Aps2010)
Agile Adoption Story in LGE (Aps2010)Agile Adoption Story in LGE (Aps2010)
Agile Adoption Story in LGE (Aps2010)
 
Testing In Production (TiP) Advances with Big Data & the Cloud
Testing In Production (TiP) Advances with Big Data & the CloudTesting In Production (TiP) Advances with Big Data & the Cloud
Testing In Production (TiP) Advances with Big Data & the Cloud
 
Upfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkUpfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdk
 
The Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of ViewThe Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of View
 
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality PracticesProactive SQA™ Shifting Left w/Proactive Software Quality Practices
Proactive SQA™ Shifting Left w/Proactive Software Quality Practices
 
Adopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSecAdopting a security attitude in DevOps via DevOpsSec
Adopting a security attitude in DevOps via DevOpsSec
 
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
How To Introduce Cloud Based Load Testing to Your Jenkins Continuous Delivery...
 
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major EventsO'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
O'Reilly Webcast: How Nordstrom Prepares Its Site for Holidays and Major Events
 
Get Ready for Changes To Load Testing
Get Ready for Changes To Load Testing Get Ready for Changes To Load Testing
Get Ready for Changes To Load Testing
 
ITAM Review Oracle Seminar
ITAM Review Oracle Seminar ITAM Review Oracle Seminar
ITAM Review Oracle Seminar
 
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
AppSphere 15 - Whipping your Apps into Shape: Team Beachbody shows you a DevO...
 
Automate More with Selenium for your RWD
Automate More with Selenium for your RWDAutomate More with Selenium for your RWD
Automate More with Selenium for your RWD
 
Agile Load Testing In The Real World
Agile Load Testing In The Real WorldAgile Load Testing In The Real World
Agile Load Testing In The Real World
 
Continuous Integration for Mobile App Testing
Continuous Integration for Mobile App TestingContinuous Integration for Mobile App Testing
Continuous Integration for Mobile App Testing
 
Continuous Testing
Continuous TestingContinuous Testing
Continuous Testing
 
Better Governance Banking on Continuous Delivery
Better Governance Banking on Continuous DeliveryBetter Governance Banking on Continuous Delivery
Better Governance Banking on Continuous Delivery
 
Puppet Labs EMC DevOps Day NYC Aug-2015
Puppet Labs EMC DevOps Day NYC Aug-2015Puppet Labs EMC DevOps Day NYC Aug-2015
Puppet Labs EMC DevOps Day NYC Aug-2015
 
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
Technology Primer: Monitor Microservices, Containers, Cloud Foundry and Node ...
 
CI/CD for mobile at HERE
CI/CD for mobile at HERECI/CD for mobile at HERE
CI/CD for mobile at HERE
 

Viewers also liked

Pgweb.hcw.joana oliveira
Pgweb.hcw.joana oliveiraPgweb.hcw.joana oliveira
Pgweb.hcw.joana oliveira
Joana Oliveira
 
Pdfweek9
Pdfweek9Pdfweek9
Pdfweek9
sam Thackthay
 
Week exe
Week exeWeek exe
Week exe
sam Thackthay
 
Oscilloscope
OscilloscopeOscilloscope
Oscilloscope
phubet_0876034391
 
Unit 4
Unit 4Unit 4
Unit 4
SANJAY KANAGALA
 
Unit 2
Unit 2Unit 2
Unit 2
SANJAY KANAGALA
 
Unit 3
Unit 3Unit 3
Unit 3
SANJAY KANAGALA
 
Unit 5
Unit 5Unit 5
Unit 5
SANJAY KANAGALA
 
Managerial communication-unit-1
Managerial communication-unit-1Managerial communication-unit-1
Managerial communication-unit-1
SANJAY KANAGALA
 
Unit 1
Unit 1Unit 1
Unit 1
SANJAY KANAGALA
 
Managerial communication unit-5
Managerial communication unit-5Managerial communication unit-5
Managerial communication unit-5
SANJAY KANAGALA
 
Managerial communication unit-4
Managerial communication unit-4Managerial communication unit-4
Managerial communication unit-4
SANJAY KANAGALA
 
Managerial communication unit-3
Managerial communication unit-3Managerial communication unit-3
Managerial communication unit-3
SANJAY KANAGALA
 
Managerial communication unit-2
Managerial communication unit-2Managerial communication unit-2
Managerial communication unit-2
SANJAY KANAGALA
 

Viewers also liked (17)

Waiter, there's a fly in my code
Waiter, there's a fly in my codeWaiter, there's a fly in my code
Waiter, there's a fly in my code
 
Pgweb.hcw.joana oliveira
Pgweb.hcw.joana oliveiraPgweb.hcw.joana oliveira
Pgweb.hcw.joana oliveira
 
Oscilloscope
OscilloscopeOscilloscope
Oscilloscope
 
Pdfweek9
Pdfweek9Pdfweek9
Pdfweek9
 
Week exe
Week exeWeek exe
Week exe
 
Conservazione
ConservazioneConservazione
Conservazione
 
Oscilloscope
OscilloscopeOscilloscope
Oscilloscope
 
Unit 4
Unit 4Unit 4
Unit 4
 
Unit 2
Unit 2Unit 2
Unit 2
 
Unit 3
Unit 3Unit 3
Unit 3
 
Unit 5
Unit 5Unit 5
Unit 5
 
Managerial communication-unit-1
Managerial communication-unit-1Managerial communication-unit-1
Managerial communication-unit-1
 
Unit 1
Unit 1Unit 1
Unit 1
 
Managerial communication unit-5
Managerial communication unit-5Managerial communication unit-5
Managerial communication unit-5
 
Managerial communication unit-4
Managerial communication unit-4Managerial communication unit-4
Managerial communication unit-4
 
Managerial communication unit-3
Managerial communication unit-3Managerial communication unit-3
Managerial communication unit-3
 
Managerial communication unit-2
Managerial communication unit-2Managerial communication unit-2
Managerial communication unit-2
 

Similar to Brickman-Brunette 2015-ICMC

IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution
harishgaur
 
Solaris 11.4 launch
Solaris 11.4 launchSolaris 11.4 launch
Solaris 11.4 launch
Scott Lynn
 
Diagnose Your Microservices
Diagnose Your MicroservicesDiagnose Your Microservices
Diagnose Your Microservices
Marcus Hirt
 
What is DevOps?
What is DevOps?What is DevOps?
What is DevOps?
jeckels
 
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Bart Jonkers
 
Less18 support
Less18 supportLess18 support
Less18 support
Amit Bhalla
 
The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...
The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...
The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...
Alan Quayle
 
Cutting Through the Disruption
Cutting Through the DisruptionCutting Through the Disruption
Cutting Through the Disruption
OSSCube
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL
MySQL Brasil
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Zivaro Inc
 
OOW15 - case study: oracle application management suite for oracle e-business...
OOW15 - case study: oracle application management suite for oracle e-business...OOW15 - case study: oracle application management suite for oracle e-business...
OOW15 - case study: oracle application management suite for oracle e-business...
vasuballa
 
ITAM Review Oracle Seminar NY Aspera Presentation
ITAM Review Oracle Seminar NY Aspera PresentationITAM Review Oracle Seminar NY Aspera Presentation
ITAM Review Oracle Seminar NY Aspera Presentation
Martin Thompson
 
HADR Best Practices (High Availability Disaster Recovery)
HADR Best Practices (High Availability Disaster Recovery)HADR Best Practices (High Availability Disaster Recovery)
HADR Best Practices (High Availability Disaster Recovery)
Rocket Software
 
Application Lifecycle Management for Multivalue Customers
Application Lifecycle Management for Multivalue CustomersApplication Lifecycle Management for Multivalue Customers
Application Lifecycle Management for Multivalue Customers
Rocket Software
 
Oracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native AppOracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native App
Paulo Alberto Simoes ∴
 
DevOps is a ReOrg
DevOps is a ReOrgDevOps is a ReOrg
DevOps is a ReOrg
Patrick Butler Monterde
 
Java SE Subscription Workshop
Java SE Subscription WorkshopJava SE Subscription Workshop
Java SE Subscription Workshop
MarketingArrowECS_CZ
 
Oracle engineered systems executive presentation
Oracle engineered systems executive presentationOracle engineered systems executive presentation
Oracle engineered systems executive presentation
OTN Systems Hub
 
Melhore o Desenvolvimento do Time com DevOps na Nuvem
Melhore o Desenvolvimento do Time com DevOps na NuvemMelhore o Desenvolvimento do Time com DevOps na Nuvem
Melhore o Desenvolvimento do Time com DevOps na Nuvem
Bruno Borges
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
Xebia India
 

Similar to Brickman-Brunette 2015-ICMC (20)

IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution
 
Solaris 11.4 launch
Solaris 11.4 launchSolaris 11.4 launch
Solaris 11.4 launch
 
Diagnose Your Microservices
Diagnose Your MicroservicesDiagnose Your Microservices
Diagnose Your Microservices
 
What is DevOps?
What is DevOps?What is DevOps?
What is DevOps?
 
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
Increased Developer Productivity for IoT with Java and Reactive Blocks (Oracl...
 
Less18 support
Less18 supportLess18 support
Less18 support
 
The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...
The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...
The Programmable Telecom Network, Doug Tait, Oracle, Enzo Amorino, Telecom It...
 
Cutting Through the Disruption
Cutting Through the DisruptionCutting Through the Disruption
Cutting Through the Disruption
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
 
OOW15 - case study: oracle application management suite for oracle e-business...
OOW15 - case study: oracle application management suite for oracle e-business...OOW15 - case study: oracle application management suite for oracle e-business...
OOW15 - case study: oracle application management suite for oracle e-business...
 
ITAM Review Oracle Seminar NY Aspera Presentation
ITAM Review Oracle Seminar NY Aspera PresentationITAM Review Oracle Seminar NY Aspera Presentation
ITAM Review Oracle Seminar NY Aspera Presentation
 
HADR Best Practices (High Availability Disaster Recovery)
HADR Best Practices (High Availability Disaster Recovery)HADR Best Practices (High Availability Disaster Recovery)
HADR Best Practices (High Availability Disaster Recovery)
 
Application Lifecycle Management for Multivalue Customers
Application Lifecycle Management for Multivalue CustomersApplication Lifecycle Management for Multivalue Customers
Application Lifecycle Management for Multivalue Customers
 
Oracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native AppOracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native App
 
DevOps is a ReOrg
DevOps is a ReOrgDevOps is a ReOrg
DevOps is a ReOrg
 
Java SE Subscription Workshop
Java SE Subscription WorkshopJava SE Subscription Workshop
Java SE Subscription Workshop
 
Oracle engineered systems executive presentation
Oracle engineered systems executive presentationOracle engineered systems executive presentation
Oracle engineered systems executive presentation
 
Melhore o Desenvolvimento do Time com DevOps na Nuvem
Melhore o Desenvolvimento do Time com DevOps na NuvemMelhore o Desenvolvimento do Time com DevOps na Nuvem
Melhore o Desenvolvimento do Time com DevOps na Nuvem
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
 

Brickman-Brunette 2015-ICMC

  • 1. Collateral Damage Joshua Brickman Director, Security Evaluations Oracle Global Product Security November 6, 2015 Glenn Brunette Distinguished Security Architect Oracle Global Product Security Impact of Frequent Policy Changes on Vendors and Customers
  • 2. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 2 Today’s Speakers • 25 Years Information Security Experience • 16 Years with Oracle (incl. 11 Years with Sun) • Customer Security Compliance Focus Glenn Brunette • Leads Security Evaluations @ Oracle • Frequent Speaker at Security Conferences • Completed Many Cert. Projects since 2006 Josh Brickman
  • 3. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Session Agenda Background Customer Experiences Vendor Challenges Recommendations Q&A 1 2 3 4 5 3
  • 4. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Background • 132,000 Employees – 36,000 Developers and Engineers • 1,000s of Products and Services – #1 in 50 product/industry categories – #2 software company in the world – #2 cloud company in the world • 400,000 Customers – Across 145 Countries 4 Oracle
  • 5. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Background • Validating Oracle Developed Modules – e.g., Oracle Solaris Cryptographic Framework, Oracle StorageTek T10000 Tape Drives, Java Card Platform, Acme Packet Session Border Controller • Leveraging Third-Party Validated Modules (“FIPS Inside”) – RSA BSAFE Crypto-C Micro-Edition – RSA BSAFE Crypto-J – OpenSSL • Many Products Contain Multiple Modules 5 Oracle and FIPS 140
  • 6. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Customer Pain Points 6 Comparing Apples and Oranges Education and Awareness Operational Decisions
  • 7. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Education and Awareness • FIPS 140 Approved vs. Validated – Complicated Landscape to the “Outsider” – e.g., FIPS 197, NIST 800-38A, CAVP/CMVP Lists, IG • Degree of Algorithm Specificity – “Encrypted” versus “AES” versus “AES-256-CTR” • Module vs. Product Validation – Is “Oracle WebLogic” FIPS 140 validated? • FIPS Inside vs. Vendor Validations – “I checked the CMVP site and you are not listed.” 7
  • 8. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Comparing Apples and Oranges 8 • Module Versioning != Product Versioning – Especially challenging with “FIPS Inside” – Module versioning can be somewhat arbitrary – Specificity of product versioning can also be challenging • Mapping Product Cryptography to Modules – Products may not validate every cryptographic module – “What underlying module provides a given cryptographic service or function?” • Cryptography in “Nested Products” – Satisfying compliance documentation mandates can get tricky...
  • 9. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Operational Considerations • Understanding Requirements Scope – Data at Rest? Data in Transit? Business versus Management/Operations Uses? • Ill-advised “Workarounds” – Avoid using cryptography • Lack of Organizational Expertise – Keeping up is somewhat predicated on already “being up to speed”? – FIPS 140 requires a broad and diverse organizational understanding 9
  • 10. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Customer Experiences Summary 10 Lack of Understanding Inconsistent Application Reduction in Security FIPS PUB 140-2 May 25, 2001
  • 11. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Changes are Coming It’s been a long time coming But I know a change is gonna come, oh yes it will, 11 --Sam Cooke, A Change is Gonna Come, 1964
  • 12. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Wants • NIST/CMVP want the strongest crypto now for their customers • Vendors want the strongest crypto for their customers (with the least performance impact) • Customers want the highest security for acquired products for the lowest price SO WHAT’S THE PROBLEM? 12
  • 13. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | The Shampoo Algorithm 13 Lather, Rinse, Repeat
  • 14. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | NIST/CMVP issues draft guidance Industry and Labs read, respond and provide feedback Draft becomes final CMVP Guidance: is it following the Shampoo Algorithm? 14 Lather/Rinse Repeat But we never get to a place where we are working together
  • 15. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #1) 2007 • NIST SP 800-38D published • Two IG’s issued 2009 • IG A.5 Key/IV Pair Uniqueness Requirements • External IV generation is not allowed for CMVP (allowed for CAVP) 2015 • IG A.5 Overhauled • IG effective immediately (no grandfathering) 15 AES-GCM IV Generation
  • 16. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #1) 1. When the new IG was issued we immediately dropped all ongoing work to analyze the new IG 2. Oracle wrote up a proposal to mitigate the impact of the new IG while still meeting the spirit of the IG. We sent it on to the CMVP 3. While waiting for a response CMVP came out with another IG 4. On August 7th the new IG became effective immediately. Oracle never heard back on our proposal 16 Oracle’s reaction (one product)?
  • 17. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #2) 17 Entropy • In 2012 NIST releases two draft Special Publications (SP 800-90 b and c (for comment)) • Comments are collected but the SP is never finalized • August 2015, IG 7.15 published, effective immediately (no grandfathering) New requirements for Entropy Assessment for labs • 3rd party components provide certain functionality (for example to improve performance or provide a source of entropy). • Most vendors have no ability to test or assess the entropy provided
  • 18. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Vendor Challenges (Example #2 cont.) 18 Oracle’s reaction (An Oracle product) 1. Oracle product gets entropy from a 3rd party 2. The status of the project at the time of release of IG was “Under Review” 3. Oracle has no ability to provide detailed design information as the 3rd party is unwilling to share with Oracle 4. Oracle also volunteered to the CMVP available information on entropy that was accepted by CMVP for previous validations 5. Oracle asked for and received a waiver* *For the next project we may not get a waiver. With better transition planning CMVP won’t be getting all these requests for waivers
  • 19. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Recommendations 19 <Or how to get out of the Shampoo Algorithm>
  • 20. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Recommendations • Form a Technical Community (CMUF working with CMVP)! – Take a page from NIAP or the CCRA and work together to solve problems – Take advantage of the vast resources of industry – Create one for IG – One for FIPS 140-4 etc – Instead of throwing IG’s over the wall, work together to come up with consensus • Timing – When IG’s are released, give industry time to react! – Every reactive response to IG is less time for industry to build product and fix bugs 20 (or How to get out of the shower)
  • 21. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Recommendations (and while were on the topic) • It’s high time that NIAP and NIST go back to being a partnership (still too much overlap-- see Entropy) • Negotiate with other crypto schemes to see if any mutual recognition can be negotiated • NIST: Lets add a “FIPS Inside”List (maybe voluntary?) 21 Collaborate
  • 22. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Josh Brickman joshua.brickman@oracle.com Glenn Brunette glenn.brunette@oracle.com Oracle Confidential – Internal/Restricted/Highly Restricted 22 Questions? Shampoo Advice?
  • 23. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 23