Geoffrey Hird <geoffrey@arcot.com> writes:
I read yesterday (I think on the NIST web site) that a major FIPS 140 test lab reported that something like 50% or 60% (sorry I can't find the story) of the modules it received for testing had bugs in them.
It's not "have bugs", it's "failed to meet the silly-walk requirements set by that lab". The labs will always find at least one thing to nitpick (and preferably several, even if it's just the punctuation in your paperwork [0]), no matter how perfect your code, because to not do so would imply that they're not doing their job. In addition since the silly-walk changes arbitrarily from one lab to another, the "bugs" found will be different for each lab. If you really don't want to make some required change (for example because it'd mean re- architecting your entire product) then the easiest solution is to jury-shop labs until you find one that waves you through.
But I have argued that FIPS 140 in general is worthwhile,
As was recently pointed out on another list, it's very worthwhile from a marketing perspective. Doesn't guarantee much about security, but provides a guarantee of sales to government agencies. This is why the certification costs for a company's product will often be taken from the marketing budget rather than the engineering budget. Peter. [0] This actually happened in one eval when they were really struggling to find anything to complain about.