New Google tool helps find bugs in reused cryptography software

Dive Brief:

  • Google announced Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses, according to a Google blog.
  • The program, announced Monday, will allow engineers to test their software libraries against previously identified vulnerabilities and then fix them before they can potentially be exploited. Because new vulnerabilities appear almost daily, Google is also encouraging people to contribute to the project. 
  • "In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long," wrote Daniel Bleichenbacher and Thai Duong, security engineers at Google. 

Dive Insight:

When developers use third-party code, they may not be aware of vulnerabilities that code contains. Cybercriminals can then zero in on and exploit certain vulnerabilities and find them in code used by hundreds, if not thousands, of enterprises.

Earlier this week, security researchers at Veracode said an estimated 80% of the code used in software applications today originates from third-party libraries or components. 

With Project Wycheproof, Google has developed more than 80 test cases, which have already uncovered more than 40 security bugs. The goal of the program is to allow programmers to check cryptographic software libraries for known weaknesses and fix those weaknesses before they use the software. 

Filed Under: Security
Top image credit: Flickr user John Lester