Implementing encryption correctly
Many organizations simply must use encryption because of data protection regulations, but sometimes, developers don’t have the necessary skills to implement it properly. It’s sort of an endemic issue that a lot of people don’t think about. Many developers believe they know how to implement crypto, but they haven’t had any specific training in cryptography and go around waving a false sense of security. Therefore, even though they end up with applications where encryption is present, attackers might still able to get their filthy hands at sensitive data.
Programming languages like Java and .NET do a reasonably good job to protect developers from making errors a bit more than older languages like C. However, many folks argue that since modern languages are easier to program in and protect programmers more from making mistakes, a good number of them may be lulled into a false sense of security and not show proper care when coding, increasing the risk of introducing other types of problems like design and logic errors. Not implementing crypto properly would fall into this category.
Don’t risk ending up with a false sense of security. You can have encryption built into everything, but it might be broken and your sensitive data will still be vulnerable to spies and would-be thieves. Choose your team wisely, one that will have the necessary skills and training to make sure that your security is iron-clad tight, and not just crank out incoherent code that might need a ton of patching and rework.
