Because cryptography is a specialized knowledge. Most curriculums doesn’t even include cryptography as core topic in their Computer Science degree. You can have a look of the MIT’s computer science curriculum. Cryptography is instead embedded in the elective class of Fundementals of Computer Security (6.1600). That’s also why DevSecOps instead of the previous DevOps. It’s just simply boils down teaching and learning cryptography is hard. It’s still too early to expect a typical dev to understand how to implement cryptograhy, even with good library. Most doesn’t know compression and encryption doesn’t mix well. Nor they understand the importance of randomness and never use the same nounce twice. Crypto lib devs who understands crypto add big scary warnings yet someone will mess something up.
Still, I will strongly support academics adding basic cryptography knowledge to their curriculum, like common algoritms, key lengths, future threats, and how fast the security landscape is moving, just for the sake of the future of cyber security.
GreenEngineering3475@lemmy.world 3 months ago
In an email, a GivEnergy representative reinforced Castellucci’s assessment, writing:
In this case, the problematic encryption approach was picked up via a 3rd party library many years ago, when we were a tiny startup company with only 2, fairly junior software developers & limited experience. Their assumption at the time was that because this encryption was available within the library, it was safe to use. This approach was passed through the intervening years and this part of the codebase was not changed significantly since implementation (so hadn't passed through the review of the more experienced team we now have in place).
sugar_in_your_tea@sh.itjust.works 3 months ago
So, it sounds like they don’t have regular security audits, because that’s something that would absolutely get flagged by any halfway competent sec team.
WhatAmLemmy@lemmy.world 3 months ago
No need for audits. It’s only critical infrastructure embedded into tens of thousands of homes, lol.
Telorand@reddthat.com 3 months ago
Yet another reminder that trust should be earned.