While the most common cause of data breaches affecting the public and private sector is often the shortcomings on the part of an end user, developers also have a share of liability for what brings about this cyber incident.
According to a new Veracode report, most developers do not have sufficient expertise to implement encryption in their products. As a result, cryptographic keys are more often than not easy to decode for attackers.
For most of data breach incidents, encryption issues are one of the vulnerabilities that have a serious impact on applications across various sectors and industries. In particular, cryptographic flaws involve wrong Transport Layer Security certificate validation, sensitive data stored as a text, unencrypted information, and hard-coded cryptographic keys, among others.
Both mobile apps and Web-based applications were affected by this shortcoming on the part of developers, although there are quite some level of differences as to the number of apps in each platform affected.
Although most applications used by many companies and organizations need to have encryption embedded in them to comply with data security laws, some developers are putting it in their products in a lax manner, according to Veracode.
Part of the problem is the lack of cryptography training for many developers. That’s why they have a poor understanding about security, Veracode said. It is no small issue, therefore, that a lot of applications with encryption components could be relied on to effectively counter attacks.
Then there is the lack of standardization as some developers develop their own encryption algorithms, mostly by not following standard cryptographic application programming interfaces offered by Java or some other widely used programming languages.
It is highly recommended that programmers first review the certificates with thorough care, secure encryption keys and implement hard-to-crack pseudo-random number generators. What is needed here is proper education for developers to help them gain insights into the dire consequences of not implementing a robust encryption.
From the point of view of other security experts, complex crypto libraries are also part to blame for this encryption issue. That is so because of the gap in language. Crypto libraries are natively developed for cryptographers, not for developers.
So it is not only a matter of educating developers, but also designing cryptographic software in a way that is easy to understand for developers as well. Then it would be smoother to implement robust encryption without taking the extra mile of understanding cryptographic languages.
