[2/27/24, 11:00 AM EST] CSRC has been experiencing technical issues. If you are unable to access a CSRC page or resource, or get a 503 error, please try reloading the page several times--it may help to wait a few minutes before trying again. We apologize for the inconvenience, and hope to have a solution in place next week.
Abstract. Prior research has revealed a multitude of errors and developer pitfalls when implementing cryptography in software and hardware. To better understand the cryptographic development practices of organizations, we conducted interviews of individuals representing companies that include cryptography in their products. Our findings revealed a strong security mindset, demonstrated by organizational security culture and the deep expertise of those performing cryptographic development. This mindset, in turn, guides the careful selection of cryptographic resources and informs formal, rigorous development and testing practices. The enhanced understanding of organizational practices may aid in transferring lessons learned from more security-mature organizations to the broader development community. We also provide additional suggestions for making cryptographic resources more accessible and usable to developers of varying skill levels.