Despite a big push over the past few years to use encryption to combat security breaches, lack of expertise among developers and overly complex libraries have led to widespread implementation failures in business applications.
The scale of the problem is significant. Cryptographic issues are the second most common type of flaws affecting applications across all industries, according to a report this week by application security firm Veracode.
The report is based on static, dynamic and manual vulnerability analysis of over 200,000 commercial and self-developed applications used in corporate environments.
Cryptographic issues ranked higher in prevalence than historically common flaws like cross-site scripting, SQL injection and directory traversal. They included things like improper TLS (Transport Layer Security) certificate validation, cleartext storage of sensitive information, missing encryption for sensitive data, hard-coded cryptographic keys, inadequate encryption strength, insufficient entropy, non-random initialization vectors, improper verification of cryptographic signatures, and more.
The majority of the affected applications were Web-based, but mobile apps also accounted for a significant percentage.
Developers are adding a lot of crypto to their code, especially in sectors like health care and financial services, but they're doing it poorly, said Veracode CTO Chris Wysopal.
Many organizations need to use encryption because of data protection regulations, but the report suggests their developers don't have the necessary training to implement it properly.
"It goes to show how hard it is to implement cryptography correctly," Wysopal said. "It's sort of an endemic issue that a lot of people don't think about."
Many developers believe they know how to implement crypto, but they haven't had any specific training in cryptography and have a false sense of security, he said. Therefore, even though they end up with applications where encryption is present, so they can tick that checkbox, attackers are still able to get at sensitive data.
And that doesn't even touch on cases where developers decide to create their own crypto algorithms, a bad idea that's almost always destined to fail. Veracode only tested implementations that used standard cryptographic APIs (application programming interfaces) offered by programming languages like Java and .NET or popular libraries like OpenSSL.
Programming languages like Java and .NET try to protect developers from making errors more than older languages like C, said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, via email.
"However, many people argue that since modern languages are easier to program in and protect programmers more from making mistakes, more of them may be lulled into a false sense of security and not show proper care when coding, i.e. increasing the risk of introducing other types of problems like design and logic errors. Not implementing crypto properly would fall into that category," Eiram said.
Sign up for MIS Asia eNewsletters.