Archive for category Tools
Managing FISMA compliance with OpenFISMA tool
Posted by Shahid N. Shah in Government 2.0, Information Assurance, Tools on May 4th, 2009
As architects working on federal projects we spend a ton of time on security practices and FISMA compliance. Implementing FISMA guidelines involves lots of manual tracking of dozens of steps and checks across various groups. I was pleased to run across OpenFISMA recently because it helps automate some of the manual steps in FISMA compliance by using a LAMP-based application to manage the process. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation. Here’s the description of the tool from their website:
The OpenFISMA project is an open source application designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).
OpenFISMA contains many of the NIST SP 800-53 security controls required for a FIPS-199 "high" impact information system. This helps you get your OpenFISMA instance authorized to operate quickly. The built-in controls include system use notification, rules of behavior, electronic privacy policy (p3p), and many, many more.
OpenFISMA also contains a catalog of all NIST SP 800-53 Rev. 2 controls built-in. Findings in OpenFISMA can be matched against these security controls to provide supplemental information for remediation and planning. The catalog includes descriptions of the controls, scoping, and supplemental guidance.
PKI (HSPD-12) for controlling access to your web applications
Posted by Shahid N. Shah in Tools on May 1st, 2009
If you’re looking for a quick and easy way to allow web applications to use your PIV cards and allow more thin-client solutions be HSPD-12 compliant, check out the Public Key Infrastructure Framework (PKIF) and WebCullis projects.
What’s slick about WebCullis is that it’s an IIS- and Apache-compatible web module that makes most of the process transparent. Here’s what the developers say about the projects, verbatim from their website:
PKIF provides a variety of capabilities useful in enabling applications, including:
- Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments.
- RFC 5280-compliant path validation.
- Supports RFC 3852 (Cryptographic Message Syntax).
- Supports RFC 3161 (Timestamp protocol).
- New Supports RFC 5055 (SCVP) and RFC 4998 (ERS) along with RFC 5276 (SCVP/ERS wantBacks)
- wxWidgets-based cross-platform GUI controls.
- Enabling applications is simple.
- Multiple certificate sources are supported, including LDAP-accessible directories, web servers, CAPI certificate stores, NSS certificate stores and other application-specified sources.
- Can retrieve revocation information from local stores, application-specified sources (such as an LDAP directory) and follow CRL distribution points.
- Can use OCSP responders specified in AIA extensions.
- One or more trusted OCSP responder(s) may be configured for path validation.
- Configurable to make the most of your infrastructure.
- Configurations can be created centrally and pushed out using your existing management tools.
- Much more. See the online developer’s reference for details.
Webcullis provides a simple, secure and flexible solution for integrating your PKI and your web aplications. Webcullis Feature:
- Certification path building and discovery compatible with the DoD PKI and the Federal bridged environments.
- RFC 3280-compliant path validation
- Cached validations to reduce server load for multiple requests
- Simple configuration syntax
- Access restrictions may be based on: Name constraints, Key Size, Extended Key Usage, Policy Constraints or Quality of revocation information
- Allows the use of one or more LDAP directories for path building
- One or more trusted OCSP responders may be configured for path validation
- Webcullis trust roots are separate from the system trust roots, enabling server-side work-arounds for client-side bugs.
- Access to resources may be controlled without configuring cumbersome mappings between certificates and system accounts on IIS.
-
-
You are currently browsing the archives for the Tools category.
Who's Blogging Here
The founder of this blog is Shahid N. Shah, CEO of Netspective. Please help continue our conversations by commenting on any posts. If you'd like join and start blogging, just create an account and begin sharing your thoughts immediately.
Recent Comments