Many business applications contain security vulnerabilities due to a lack of adequate encryption. So says a report recently issued by Veracode. Application developers typically lack expertise in cryptography and often do not follow best practices for encrypting data properly.
The IEEE (News - Alert) lists several common problems that occur when using cryptography. One of the worst is that developers often attempt to create their own encryption mechanisms. This is a dangerous practice, because effective cryptography requires mathematical expertise that few have. Unless you are Phil Zimmerman (the developer of PGP (News - Alert)) or an expert in mathematics, it’s best to use established libraries for encryption.
Using such libraries alone is not an air-tight guarantee of protection against breaches, however. The IEEE used the example of an application using an algorithm that protected data confidentiality, but did not protect against the data being altered. Not only are these libraries not being used properly, they are also designed in a way that makes them hard for developers to understand, according to comments made to PC World by Johns Hopkins University cryptography engineering professor Matthew Green.
Another problem is that for many developers, encryption is not a priority. SecureDB asked some developers why and found that complacency was a common attitude. Many felt that their data centers had good enough security. Application performance and the inability to search data when in encrypted form were other factors.
The number of causes that lead to weak encryption is so great that it would be difficult to produce an exhaustive list of them. A few key changes would be an improvement, however.
One of the biggest problems seems to be that not everyone is on the same page with regard to the importance of encryption. The cryptography experts develop APIs that they can understand, but developers can’t. Developers work long hours and are so often under the gun to complete tasks, that they treat them like hot potatoes. It’s a superficial approach to coding that leaves applications wide open to vulnerabilities. Management often does not see the importance of security and how breaches can hurt financially.
Everyone from API providers to developers to their supervisors has to understand that cybersecurity should be of the utmost importance to a business and work together to make it happen. Developers and API providers should discuss how encryption libraries can be structured to be easier to use. Management needs to understand the potential impacts of a breach and budget time and money in protecting against them. Unfortunately, it is often the case that there is not enough money and time to prevent a mess, but always enough to clean one up after it occurs.