Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Software developers are failing to implement crypto correctly, data reveals

Lucian Constantin | June 29, 2015
Despite a big push over the past few years to use encryption to combat security breaches, lack of expertise among developers and overly complex libraries have led to widespread implementation failures in business applications.

Too many programmers think that they can just link to a crypto library and they're done, but cryptography is hard to implement robustly if you don't understand the finer aspects of it, like checking certificates properly, protecting the encryption keys, using appropriate key sizes or using strong pseudo-random number generators.

"All this ultimately comes down to better education of programmers to understand all the pitfalls when implementing strong crypto," Eiram said.

But it's not only the developers' fault. Matthew Green, a professor of cryptography engineering at Johns Hopkins University in Baltimore, thinks that many crypto libraries are "downright bad" from a usability perspective because they've been designed by and for cryptographers.

"Forcing developers to use them is like expecting someone to fly an airplane when all they have is a driver's license," he said via email.

Green believes that making cryptographic software easier to use -- ideally invisible so that people don't even have to think about it -- would be a much more efficient approach than training developers to be cryptographers.

"We don't expect developers to re-implement TCP [a core Internet protocol] or the entire file system every time they write something," he said. "The fact that current crypto APIs are so bad is just a reflection of the fact that crypto, and security in general, are less mature than those other technologies."

The authors of some cryptographic libraries are aware that their creations should be easier to use. For example, the OpenSSL project's roadmap, published last June, lists reducing API complexity and improving documentation as goals to be reached within one year.

While not disputing that some crypto libraries are overly complex, Eiram doesn't agree that developers need to be cryptographers in order to implement crypto correctly.

The crypto APIs in Java and .NET -- the programming languages most used by the apps covered in Veracode's report -- were designed specifically for developers and provide most of what they need in terms of crypto features when developing applications in those languages, Eiram said.

"While it's always preferable that libraries including crypto libraries are made to be used as easily as possible, the programmers using them ultimately need to at least understand on a high level how they work," he said. "I really see it as a two-way street: Make crypto as easy to use as possible, but programmers having to implement crypto in applications should also properly educate themselves instead of hoping for someone to hold their hand."

In addition to the lack of crypto expertise among developers and the complexity of some crypto libraries, forgetting to turn security features back on after product testing is another common source of failures, according to Green.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.