Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products

Published

Author(s)

Julie M. Haney, Mary F. Theofanos, Yasemin Acar, Sandra S. Prettyman

Abstract

Unfortunately, implementing cryptography correctly is a non-trivial undertaking. Past studies have supported this observation by revealing a multitude of errors and developer pitfalls in the cryptographic implementations of software products. However, the emphasis of these studies was on individual developers; there is an obvious gap in more thoroughly understanding cryptographic development practices of organizations. To address this gap, we conducted 21 in- depth interviews of highly experienced individuals representing organizations that include cryptography in their products. Our findings suggest a security mindset not seen in other research results, demonstrated by strong organizational security culture and the deep expertise of those performing cryptographic development. This mindset, in turn, guides the careful selection of cryptographic resources and informs formal, rigorous development and testing practices. The enhanced understanding of organizational practices encourages additional research initiatives to explore variations in those implementing cryptography, which can aid in transferring lessons learned from more security-mature organizations to the broader development community through educational opportunities, tools, and other mechanisms. The findings also support past studies that suggest that the usability of cryptographic resources may be deficient, and provide additional suggestions for making these resources more accessible and usable to developers of varying skill levels.
Proceedings Title
USENIX Symposium on Usable Privacy and Security
Conference Dates
August 13-14, 2018
Conference Location
Baltimore, MD
Conference Title
Same as above

Keywords

usable security, cryptography, development

Citation

Haney, J. , Theofanos, M. , Acar, Y. and Prettyman, S. (2018), "We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products, USENIX Symposium on Usable Privacy and Security, Baltimore, MD, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=926097 (Accessed October 22, 2021)
Created August 13, 2018, Updated January 31, 2019