Developer Friendly Cryptography

Brice Williams (bricex)

Brice Williams (bricex)

Speaker Bio

Brice Williams is a Practice Lead with SysLogic and leads their Managed Security Advisory Services with 20 years of experience in software development and security best practices. His team provides cybersecurity guidance and support to large global organizations in areas that include secure development programs, developer training, security tools, source code assessments, and secure architecture. Brice has developed and conducted cybersecurity training classes for hundreds of software developers, and focuses on improving the state of information security within the product development life cycle.

Brice is also a founding partner of Cyberspect, a startup in the application security space that provides tools to empower development teams to deliver more secure code.

Presentation

Software developers often make mistakes when using cryptography in applications, which tends to result in code with dangerous and subtle weaknesses. Some of this can be addressed through training, but should we expect all developers to be cryptography experts? Many developersonly know to avoid writing their own ciphers, and rely on one of the many incomplete or incorrect code examples that exist on the internet. To make things worse, most cryptographic libraries in use today are designed to be used by experts and often result in misunderstandings by the average application developer.

In this talk we will look at some common cryptography usage errors and why popular libraries often fall short. We will also discuss nuances such as backwards compatibility, FIPS 140-2 validation, and weak standards such as JOSE/JWT that contribute to the overall confusion. I’ll share some advice that you can provide to the development/engineering teams in your organization to not only make their job easier, but also ensure more secure cryptographic implementations.