[HN Gopher] PostgreSQL and FIPS Mode ___________________________________________________________________ PostgreSQL and FIPS Mode Author : chmaynard Score : 45 points Date : 2023-12-05 11:22 UTC (1 days ago) (HTM) web link (peter.eisentraut.org) (TXT) w3m dump (peter.eisentraut.org) | nickvanw wrote: | This is the un-fun work needed to get open source software into | many different parts of the enterprise and government. It's not | fun, and sometimes it's not even very difficult, but its usually | very tie consuming and full of arcane knowledge. | | Signed, someone who was dropped a big application and asked to | make it FIPS compliant ASAP. | pixl97 wrote: | Open, closed, it's all a bunch of fun getting working in FIPS | mode. Especially 3rd party applications. They'll call a | library, that calls a library that uses something not | compliant. | | While FIPS is a pain in the ass, can show you potential | failures your software has with using ancient crypto methods | that are easy to enable and completely compromise the security | of your software. | walth wrote: | There is also a large difference between FIPS compliant and FIPS | certified. The former is running in FIPS mode and the latter is | running a cryptographic module that has been inspected and | verified by the CMVP. | | And then the whole thing is really terrible security theater as | you are technically out of certification if you apply any non- | inspected updates. | p_l wrote: | OpenSSL 3 made a huge improvements in getting oneself FIPS | certified, by isolating the FIPS-covered code to small | auditable module that doesn't have to be updated all that much, | thus letting you update OpenSSL in general while retaining | CMVP-verified crypto. | | Now, getting it into some of the open source code was a PITA, | especially when you have things like components that depended | on MD5 somewhere... | wahern wrote: | > And then the whole thing is really terrible security theater | as you are technically out of certification if you apply any | non-inspected updates. | | The days when FIPS compliance required using relatively weak | ciphers and modes were lamentable. But all the other tedious | box checking work arguably shows that cipher bike shedding is | the real security theater. If you don't have a plan--and follow | that plan--to track software origins and updates, or an ability | to quickly resolve dependency issues that make it difficult to | refactor or even update your systems, then you have much bigger | problems than whether your latest software is using the Noise | protocol or has migrated from BLAKE2 to BLAKE3. | | Which is not to say that maintaining FIPS certification or | FedRAMP compliance equates to good security. It's trivial to | identify simplifications that would result in better | operational security. But the vast majority of projects and | organizations struggling to meet those standards are struggling | precisely because their security posture is horrendously poor | when looked at comprehensively. | waynesonfire wrote: | curious to know which roles in an organization require a deep | understanding of technical standards like FIPS or ISO. Is it | typically expected of entry-level engineers, senior engineers, | principals, tech leads, and/or project managers? | | Have you ever needed to immerse yourself in a FIPS or ISO | standard? Was it out of necessity for a project (just-in-time | learning), or do some of you explore these standards in your | spare time? | | These standards are complex and mastering them is no small feat. | It's interesting that people don't often brag about this | expertise on their resumes. Have you ever listed such standards | as part of your skill set? Why or why not? | | I'm eager to hear your experiences and insights. How has your | understanding of these standards impacted your career or | projects? | linuxguy2 wrote: | Oooo for once, my time to shine! Or maybe, my time to shine??? | | > Is it typically expected of entry-level engineers, senior | engineers, principals, tech leads, and/or project managers? | | Working at a company that provides FedRAMP-approved services, | the knowledge of FIPS within the company is a bit sparse. | InfoSec definitely needed to understand it in order to explain | to developers that they have to use BouncyCastle over the | default java crypto provider, etc, but it took someone else to | _really_ understand it and tell InfoSec that they were | initially asking for the wrong thing. | | Entry-level? No. Senior? At least minimal understanding of how | cryptography works in their language of choice and the impact | of FIPS. Principal? Same Tech leads? Not a well-defined role. | Probably. Project managers? No. | | > Have you ever needed to immerse yourself in a FIPS or ISO | standard? | | Yes. Multiple times. I argue with third-party auditors and the | FedRAMP Joint Advisory Board about interpretation of these | standards. | | > Was it out of necessity for a project (just-in-time | learning), or do some of you explore these standards in your | spare time? | | Necessity. See FedRAMP. However I can say ISO8601 was just for | fun. ISO8601 gang represent! | | > These standards are complex and mastering them is no small | feat. It's interesting that people don't often brag about this | expertise on their resumes. | | I've seen a couple people who listed those standards or similar | (FedRAMP again). Given the choice between two identical | candidates while one has FedRAMP/FIPS/ISO experience I'll pick | the one listing the standards. | | > Have you ever listed such standards as part of your skill | set? Why or why not? | | I've not updated my resume since acquiring skills in the | relevant standards but will probably include them when I do | update my resume. They're a specialization that commands a | premium when it comes to salary, if you're willing to work in | the industries / companies that play in that space. Some people | wouldn't include it because they truly hate working with | rigorous standards. | | > How has your understanding of these standards impacted your | career or projects? | | Understanding them has certainly proved to be a benefit to my | career given how closely I work with them. | josephcsible wrote: | > "FIPS mode" is a thing provided by OpenSSL that, well, makes it | more secure | | A well-configured system would either be unchanged or be made | less secure by enabling FIPS mode. Nobody should ever use it | without a legal requirement to do so. ___________________________________________________________________ (page generated 2023-12-06 23:00 UTC)