Auditing and Selecting Cryptographic Dependencies
Apply a framework for evaluating, auditing, and maintaining cryptographic library dependencies.
Why Library Selection Matters
The cryptographic library you choose is one of the most consequential security decisions in a project. Even well-intentioned developers using a poor library can produce insecure systems. Conversely, a well-designed library makes it difficult to make catastrophic mistakes. The selection process should be systematic, evaluating security track record, API design, maintenance status, and fitness for purpose.
Audit Date and Scope
One of the first questions for any cryptographic library is when it was last independently audited and what that audit covered. An audit from five years ago on version 1.0 provides less assurance for version 3.0 used today. Look for audits conducted by reputable security firms (NCC Group, Trail of Bits, Quarkslab, Cure53) covering the specific functionality you plan to use. Some libraries publish audit reports publicly; absence of any audit is a significant risk factor.
All lessons in this course
- libsodium: A Misuse-Resistant Crypto Library
- OpenSSL API: Core Structures and Pitfalls
- Google Tink: Safe High-Level Crypto
- Auditing and Selecting Cryptographic Dependencies