"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products

Published: August 13, 2018


Julie M. Haney, Mary F. Theofanos, Yasemin Acar, Sandra S. Prettyman


Unfortunately, implementing cryptography correctly is a non-trivial undertaking. Past studies have supported this observation by revealing a multitude of errors and developer pitfalls in the cryptographic implementations of software products. However, the emphasis of these studies was on individual developers; there is an obvious gap in more thoroughly understanding cryptographic development practices of organizations. To address this gap, we conducted 21 in- depth interviews of highly experienced individuals representing organizations that include cryptography in their products. Our findings suggest a security mindset not seen in other research results, demonstrated by strong organizational security culture and the deep expertise of those performing cryptographic development. This mindset, in turn, guides the careful selection of cryptographic resources and informs formal, rigorous development and testing practices. The enhanced understanding of organizational practices encourages additional research initiatives to explore variations in those implementing cryptography, which can aid in transferring lessons learned from more security-mature organizations to the broader development community through educational opportunities, tools, and other mechanisms. The findings also support past studies that suggest that the usability of cryptographic resources may be deficient, and provide additional suggestions for making these resources more accessible and usable to developers of varying skill levels.
Proceedings Title: USENIX Symposium on Usable Privacy and Security
Conference Dates: August 13-14, 2018
Conference Location: Baltimore, MD
Conference Title: Same as above
Pub Type: Conferences

Download Paper


usable security, cryptography, development
Created August 13, 2018, Updated January 31, 2019