Cryptography Cognizance for Application Designers and Developers

  • Article

Here's the abstract for a whitepaper I am beginning to write -  

Cryptography is increasingly emerging as an essential and must-have ammo in the arsenal of application designers and developers. Reliance on cryptography is a critical part of an application’s security strategy and is an unstated yet expected requirement for satisfying the security needs of business applications. The ever increasing list of threats and their corresponding countermeasures confound the application developer and lead to incorrect cryptographic choices. The complexities associated with cryptography only compound this problem. This has led to developers seeing cryptography as a silver bullet that will solve their applications security problems and kill the ‘werewolf’ aka hacker. Also, with so many mitigation options available, it is often difficult to volition one mitigation technique over the other leading to a void in the understanding of the application designer.

This whitepaper fills up exactly that void by delving into cryptography concepts that developers should be cognizant about and incorporate in their application security strategy. Microsoft is a market leader in application security and we believe our vast experience in the application security arena qualifies us to share our insights with the application development community at large.

At a broad level, the whitepaper is divided into two logical parts –Warm-up and Deep-dive.

The Warm-up portion of the whitepaper will give the reader a gentle introduction to application security and the role of cryptography in the application security landscape. It will also encompass a short discussion on various cryptographic primitives available and clears the common misconceptions surrounding these primitives. This is followed by a discussion on various cryptography terminology and technology choices available.

The Deep-dive portion of the whitepaper provides a detailed overview of how cryptography offers various security services to applications in the areas of code security, authentication, authorization, non-repudiation, replay protection, timestamping, application provisioning and federation. Code samples will be demonstrated where applicable. Best practices when using cryptographic APIs will be discussed. Common mistakes made when using cryptography and ways of correcting them will also be covered.

All in all, my vision for this whitepaper is to leave the reader with a panoptic understanding of cryptography and a higher level of cryptography cognizance. The goal is for the reader to be more comfortable and foster increased productivity in the cryptography arena.