Abstract
During the past 8 years, Kevin has examined how cryptography has been used in 300+ different projects from a security risk perspective. This includes 85+ design reviews well over 100 secure code reviews (mostly Java with some C/C++ and C# thrown in for good measure) performed for two different companies. That includes both proprietary code of these 2 companies, proprietary vendor code reviewed under NDAs, as well as some FOSS code. This talk explores the most commonly observed applied cryptography mistakes made by developers during that 8 year window and briefly describes how to correct them.
Bio
Kevin Wall has been involved in application security for the past 15+ years, but he still considers himself a developer first and an appsec engineer second. During most of those 15+ years, Kevin has specialized in applied cryptography and web appsec. Before transitioning to appsec, Kevin spent 17 years at (now Nokia, then AT&T) Bell Labs, leaving there as a DMTS in 1996 to become an independent consultant in C++ and Java.
Kevin became involved in the OWASP Enterprise Security API (ESAPI) project in early fall of 2009, and after redesigning and rewriting all the symmetric cryptography related classes, he somehow found himself โelectedโ as co-project lead of ESAPI in 2011. He also spent from 2000-2007 as an adjunct faculty member on the Franklin University CS staff where he taught Distributed Operating Systems and Computer Security. Kevin has been working on the Wells Fargo Secure Code Review team for just over of 3 years; he figures it is about as close to code as any company will let him get, which is why he stays active in the development of ESAPI.
When Kevin is not around code, he waxes eloquently on 3-4 page TL;DR discourses that he posts various mailing lists or hangs out with other dinosaur friends at local watering holes discussing appsec, coding, sports, puns, and quantum physics.