"We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products

Abstract. Prior research has revealed a multitude of errors and developer pitfalls when implementing cryptography in software and hardware. To better understand the cryptographic development practices of organizations, we conducted interviews of individuals representing companies that include cryptography in their products. Our findings revealed a strong security mindset, demonstrated by organizational security culture and the deep expertise of those performing cryptographic development. This mindset, in turn, guides the careful selection of cryptographic resources and informs formal, rigorous development and testing practices. The enhanced understanding of organizational practices may aid in transferring lessons learned from more security-mature organizations to the broader development community. We also provide additional suggestions for making cryptographic resources more accessible and usable to developers of varying skill levels.