During the past 8 years, Kevin has examined how cryptography has been used in 300+ different projects from a security risk perspective. This includes 85+ design reviews as well as over 200 secure code reviews (mostly Java with some C/C++ and C# thrown in for good measure) performed for two different companies. That includes both proprietary code of these 2 companies, proprietary vendor code reviewed under NDAs, as well as some FOSS code. This talk explores the most commonly observed applied cryptography mistakes made by developers during that 8 year window and briefly describes how to correct them.

Kevin Wall has been involved in application security for almost the past 20 years, but he still considers myself a developer first and an AppSec engineer second. During most of past 20 years, Kevin has specialized in applied cryptography and web AppSec. Before transitioning to AppSec, Kevin spent 17 years at (now Nokia, then AT&T) Bell Labs doing mostly systems programming. He left Bell Labs as a DMTS in 1996 to become an independent consultant in C++ and Java. Kevin became involved in the OWASP Enterprise Security API (ESAPI) project in early fall of 2009, and after redesigning and rewriting all the symmetric cryptography related classes, he somehow found himself "elected" as co-project lead of ESAPI in 2011. He also spent from 2000-2007 as an adjunct faculty member on the Franklin University CS staff where he taught Distributed Operating Systems and Computer Security. Kevin has been working on the Wells Fargo Secure Code Review team for just over of 3 years; he figures it is about as close to code as any company will let him get, which is why he stays active in the development of ESAPI. When Kevin is not around code, he waxes eloquently on 3-4 page TL;DR discourses that he posts various mailing lists or hangs out with other dinosaur friends at local watering holes discussing AppSec, coding, sports, puns, and quantum physics.

Back to BSides Columbus Ohio 2019 video list