Organizational Practices in Cryptographic Development and Testing
Julie Haney, Simson L. Garfinkel, Mary Theofanos
Organizations developing cryptographic products face significant challenges, including usability and human factors, that may result in decreased security, increased development time, and missed opportunities to use the technology to its fullest potential. To better identify these challenges, we explored cryptographic development and testing practices by conducting a web-based survey of 121 individuals representing organizations involved in the development of products that include cryptography. We found that participants used cryptography for a wide range of purposes, with most relying on generally accepted, standards-based implementations as guides. However, many also developed their own implementations and drew on nonstandards based resources to inform their development and testing processes. Our results also highlight challenges that incorporating cryptography within products creates within organizations, including the recruitment and management of talent, the product lifecycle, and the ability to explain the security value of products to customers. We conclude by discussing implications of these findings and opportunities for future research.
5th IEEE Conference on Communications and Network Security
October 9-11, 2017
Las Vegas, NV, US
IEEE Conference on Communications and Network Security
, Garfinkel, S.
and Theofanos, M.
Organizational Practices in Cryptographic Development and Testing, 5th IEEE Conference on Communications and Network Security, Las Vegas, NV, US, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=922164
(Accessed October 22, 2021)