Researchers at Germany's Technical University of Darmstadt (TU Darmstadt) want to automate encryption so software developers can correctly integrate cryptographic protocols into applications that communicate over the Internet.
Between 2013 and 2015, 1,769 security vulnerabilities registered in the U.S. National Vulnerability Database stemmed from mistakes made by software developers, and issues involving the integration of encryption protocols in applications were the fourth most frequent source of such vulnerabilities. In addition, recent studies demonstrated software integration is an important point of weakness because the use of components of cryptographic libraries requires knowledge of too many details that app programmers often do not possess.
Software developers should ensure the individual steps of an encryption protocol are executed in a specific order, for which concrete recommendations are available depending on the data that is to be protected. However, the researchers note developers frequently lack the time to read the appropriate manuals, and another source of errors is digital certificates that verify the validity of a given key.
Developers sometimes disable the verification process for their software certificates in order to speed up testing, but then forget to re-enable it for the production system.
"These are both common errors, even among serious software providers; and those are just two examples among many," says TU Darmstadt researcher Mira Mezini.
From Technical University of Darmstadt (Germany)
View Full Article
Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA
No entries found