hngopher.com

       [HN Gopher] PostgreSQL and FIPS Mode
       ___________________________________________________________________
        
       PostgreSQL and FIPS Mode
        
       Author : chmaynard
       Score  : 45 points
       Date   : 2023-12-05 11:22 UTC (1 days ago)
        
 (HTM) web link (peter.eisentraut.org)
 (TXT) w3m dump (peter.eisentraut.org)
        
       | nickvanw wrote:
       | This is the un-fun work needed to get open source software into
       | many different parts of the enterprise and government. It's not
       | fun, and sometimes it's not even very difficult, but its usually
       | very tie consuming and full of arcane knowledge.
       | 
       | Signed, someone who was dropped a big application and asked to
       | make it FIPS compliant ASAP.
        
         | pixl97 wrote:
         | Open, closed, it's all a bunch of fun getting working in FIPS
         | mode. Especially 3rd party applications. They'll call a
         | library, that calls a library that uses something not
         | compliant.
         | 
         | While FIPS is a pain in the ass, can show you potential
         | failures your software has with using ancient crypto methods
         | that are easy to enable and completely compromise the security
         | of your software.
        
       | walth wrote:
       | There is also a large difference between FIPS compliant and FIPS
       | certified. The former is running in FIPS mode and the latter is
       | running a cryptographic module that has been inspected and
       | verified by the CMVP.
       | 
       | And then the whole thing is really terrible security theater as
       | you are technically out of certification if you apply any non-
       | inspected updates.
        
         | p_l wrote:
         | OpenSSL 3 made a huge improvements in getting oneself FIPS
         | certified, by isolating the FIPS-covered code to small
         | auditable module that doesn't have to be updated all that much,
         | thus letting you update OpenSSL in general while retaining
         | CMVP-verified crypto.
         | 
         | Now, getting it into some of the open source code was a PITA,
         | especially when you have things like components that depended
         | on MD5 somewhere...
        
         | wahern wrote:
         | > And then the whole thing is really terrible security theater
         | as you are technically out of certification if you apply any
         | non-inspected updates.
         | 
         | The days when FIPS compliance required using relatively weak
         | ciphers and modes were lamentable. But all the other tedious
         | box checking work arguably shows that cipher bike shedding is
         | the real security theater. If you don't have a plan--and follow
         | that plan--to track software origins and updates, or an ability
         | to quickly resolve dependency issues that make it difficult to
         | refactor or even update your systems, then you have much bigger
         | problems than whether your latest software is using the Noise
         | protocol or has migrated from BLAKE2 to BLAKE3.
         | 
         | Which is not to say that maintaining FIPS certification or
         | FedRAMP compliance equates to good security. It's trivial to
         | identify simplifications that would result in better
         | operational security. But the vast majority of projects and
         | organizations struggling to meet those standards are struggling
         | precisely because their security posture is horrendously poor
         | when looked at comprehensively.
        
       | waynesonfire wrote:
       | curious to know which roles in an organization require a deep
       | understanding of technical standards like FIPS or ISO. Is it
       | typically expected of entry-level engineers, senior engineers,
       | principals, tech leads, and/or project managers?
       | 
       | Have you ever needed to immerse yourself in a FIPS or ISO
       | standard? Was it out of necessity for a project (just-in-time
       | learning), or do some of you explore these standards in your
       | spare time?
       | 
       | These standards are complex and mastering them is no small feat.
       | It's interesting that people don't often brag about this
       | expertise on their resumes. Have you ever listed such standards
       | as part of your skill set? Why or why not?
       | 
       | I'm eager to hear your experiences and insights. How has your
       | understanding of these standards impacted your career or
       | projects?
        
         | linuxguy2 wrote:
         | Oooo for once, my time to shine! Or maybe, my time to shine???
         | 
         | > Is it typically expected of entry-level engineers, senior
         | engineers, principals, tech leads, and/or project managers?
         | 
         | Working at a company that provides FedRAMP-approved services,
         | the knowledge of FIPS within the company is a bit sparse.
         | InfoSec definitely needed to understand it in order to explain
         | to developers that they have to use BouncyCastle over the
         | default java crypto provider, etc, but it took someone else to
         | _really_ understand it and tell InfoSec that they were
         | initially asking for the wrong thing.
         | 
         | Entry-level? No. Senior? At least minimal understanding of how
         | cryptography works in their language of choice and the impact
         | of FIPS. Principal? Same Tech leads? Not a well-defined role.
         | Probably. Project managers? No.
         | 
         | > Have you ever needed to immerse yourself in a FIPS or ISO
         | standard?
         | 
         | Yes. Multiple times. I argue with third-party auditors and the
         | FedRAMP Joint Advisory Board about interpretation of these
         | standards.
         | 
         | > Was it out of necessity for a project (just-in-time
         | learning), or do some of you explore these standards in your
         | spare time?
         | 
         | Necessity. See FedRAMP. However I can say ISO8601 was just for
         | fun. ISO8601 gang represent!
         | 
         | > These standards are complex and mastering them is no small
         | feat. It's interesting that people don't often brag about this
         | expertise on their resumes.
         | 
         | I've seen a couple people who listed those standards or similar
         | (FedRAMP again). Given the choice between two identical
         | candidates while one has FedRAMP/FIPS/ISO experience I'll pick
         | the one listing the standards.
         | 
         | > Have you ever listed such standards as part of your skill
         | set? Why or why not?
         | 
         | I've not updated my resume since acquiring skills in the
         | relevant standards but will probably include them when I do
         | update my resume. They're a specialization that commands a
         | premium when it comes to salary, if you're willing to work in
         | the industries / companies that play in that space. Some people
         | wouldn't include it because they truly hate working with
         | rigorous standards.
         | 
         | > How has your understanding of these standards impacted your
         | career or projects?
         | 
         | Understanding them has certainly proved to be a benefit to my
         | career given how closely I work with them.
        
       | josephcsible wrote:
       | > "FIPS mode" is a thing provided by OpenSSL that, well, makes it
       | more secure
       | 
       | A well-configured system would either be unchanged or be made
       | less secure by enabling FIPS mode. Nobody should ever use it
       | without a legal requirement to do so.
        
       ___________________________________________________________________
       (page generated 2023-12-06 23:00 UTC)