How can enterprises leverage Google's Project Wycheproof?

Google recently released Project Wycheproof, which is designed to test cryptographic software libraries for known vulnerabilities. How can enterprises take advantage of and benefit from this offering? Are there any potential drawbacks to exposing flaws in widely used cryptographic libraries?

The name Wycheproof was chosen because it's the smallest mountain in the world, and stands at a whopping 486 feet above sea level. The reason this particularly unimpressive mountain serves as the namesake of this project is because the tool is only the beginning.

The authors of this tool said they wanted to "create something with an achievable goal," and allowing others to use these tools without "digesting decades worth of academic literature" could lead to increased adoption of this tool and improved security across the internet.

If you're developing applications and using cryptographic libraries, this tool could be something to keep in your toolbox for further investigation and implementation. Project Wycheproof searches for 80 test cases in crypto libraries, and it has already found 40 security bugs that are currently being worked on.

When using tools like Project Wycheproof, or performing security research, you must always attempt to notify the vendor or organization that's responsible for the vulnerabilities discovered. Are there flaws or danger when exposing these faults in the wild? Absolutely. The issue then becomes how to notify others of these vulnerabilities after they're found in crypto libraries.

In the past few years, we've seen flaws in OpenSSL -- Heartbleed and DROWN, for example -- that directly affected user security across the internet as soon as they were released, but it's worth working with these vendors to improve and sanitize the internet of these vulnerabilities.

Next, you have to decide whether the vulnerability is worth releasing if there isn't adequate support from the vendor. And if you do release the threat, will the vendor take it seriously and fix the issue?

There are risks with finding vulnerabilities in crypto libraries because we trust them to secure our data and privacy. When releasing something into the wild that ultimately puts all of that at risk, it needs to be done in a calculated fashion, so it does not undermine the security that cryptography grants us.

On the flip side, you have to assume that if you find an undisclosed vulnerability, then you might not actually be the first to find it. Many zero-day vulnerabilities are found and are being actively used underground for malicious purposes. By not releasing them or working with the vendor, these potential unknown vulnerabilities could continue to be actively used by malicious actors.

Using tools like Project Wycheproof allows others to determine the security of their crypto libraries, but, more importantly, we should follow the lead of the developers who created it and act responsibly when we find potentially unknown bugs in the wild.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)