Is software crypto failing?
This entry was posted on Wednesday, July 15th, 2015.
Although encryption is increasingly used to combat security breaches, a salient lack of expertise among developers, coupled with overly complex libraries, has led to widespread implementation failures in business applications.
According to IDG’s Lucian Constantin, the scale of the problem is quite significant. Indeed, a recent report published by Veracode confirms that cryptographic issues are now the second most common type of flaws affecting applications across all industries.
“Cryptographic issues ranked higher in prevalence than historically common flaws like cross-site scripting, SQL injection and directory traversal,” Constantin explained. “[This] includes things like improper TLS (Transport Layer Security) certificate validation, cleartext storage of sensitive information, missing encryption for sensitive data, hard-coded cryptographic keys, inadequate encryption strength, insufficient entropy, non-random initialization vectors [and] improper verification of cryptographic signatures.”
As Veracode CTO Chris Wysopal notes, developers may be adding a significant amount of crypto to their code, especially for health care and financial apps. However, they are doing it poorly, with a lack of proper training adversely impacting implementation.
“It goes to show how hard it is to implement cryptography correctly,” Wysopal told the publication. “It’s sort of an endemic issue that a lot of people don’t think about.”
In addition to a lack of expertise, numerous crypto libraries are often difficult for developers to use. Indeed, Matthew Green, a professor of cryptography engineering at Johns Hopkins University in Baltimore, says many crypto libraries are “downright bad” from a usability perspective because they’ve been designed by and for cryptographers.
“Forcing developers to use them is like expecting someone to fly an airplane when all they have is a driver’s license,” Green told IDG. “[Then again], we don’t expect developers to re-implement TCP [a core Internet protocol] or the entire file system every time they write something. The fact that current crypto APIs are so bad is just a reflection of the fact that crypto, and security in general, are less mature than those other technologies.”
Carsten Eiram, the chief research officer at Risk Based Security, expressed similar sentiments in an email to IDG.
“While it’s always preferable that libraries including crypto libraries are made to be used as easily as possible, the programmers using them ultimately need to at least understand on a high level how they work,” he opined. “I really see it as a two-way street: Make crypto as easy to use as possible, but programmers having to implement crypto in applications should also properly educate themselves instead of hoping for someone to hold their hand.”
Commenting on the above-mentioned report, Eliott Jones, VP of User Experience at Rambus, told us that to realize the potential of cryptography-related solutions, usability will need to follow the same path that it has for other development technologies. With so much rich interaction and simplification of the user-facing tools in the modern development sphere, developers have also come to expect that they will not have to become a domain expert to enable technologies like cryptography in their projects.
“As with most nascent technologies, the products start from the ground up, from a pure engineering perspective. But as the space matures and adoption includes a broader user base, usability becomes a key need and differentiator. One gets the sense that, to date, software in the security space has been a tertiary concern. This is true not only for software libraries, but also for user interfaces (UIs) powering various security-related platforms,” said Jones. “From my perspective, effectively interacting with software libraries (upstream) and extracting real meaning from vast amounts of raw data (downstream) requires a highly intuitive (UI) paired with enhanced visual analysis tools.”
As Jones points out, that is precisely why Rambus engineers have adopted design cues from consumer-centric products when developing the software layers of the company’s CryptoManager and DPA Workstation testing platform (DPAWS).
“As examples, the software layers of both DPAWS and CryptoManager feature an intuitive UI that integrates advanced visualization capabilities. This helps increase the efficiency of side-channel analysis for the former and optimizes the Security Engine and related Infrastructure for the latter,” he added. “Although improving the usability of crypto libraries is a critical first step, it is important to realize that this is only one piece of the puzzle. From a broader perspective, an intuitive UI bolsters a platform’s efficiency, ultimately helping to define its competitive advantage.”