Software developers often make mistakes when using cryptography in applications, which tends to result in code with dangerous and subtle weaknesses. Some of this can be addressed through training, but should we expect all developers to be cryptography experts? Many developersonly know to avoid writing their own ciphers, and rely on one of the many incomplete or incorrect code examples that exist on the internet. To make things worse, most cryptographic libraries in use today are designed to be used by experts and often result in misunderstandings by the average application developer.
In this talk we will look at some common cryptography usage errors and why popular libraries often fall short. We will also discuss nuances such as backwards compatibility, FIPS 140-2 validation, and weak standards such as JOSE/JWT that contribute to the overall confusion. I’ll share some advice that you can provide to the development/engineering teams in your organization to not only make their job easier, but also ensure more secure cryptographic implementations.