Software today is much like a building made up of code blocks, where cryptographic algorithms are the essential components that protect our data. But just like any building material, these algorithms can wear out and need updating. In a recent study, Alexander Krause from CISPA spoke with 21 developers to uncover the practical challenges of updating cryptographic code—a topic he’ll be discussing at the Usenix Security Symposium in Seattle on August 14, 2025.
Crytographic algorithms work by encrypting your data, ensuring it stays out of the wrong hands. However, as technology pushes forward, even these trusted safeguards face new threats. Take quantum computing for example—it uses three states instead of the usual two, which could eventually undermine current encryption methods. As Krause puts it, “If connections are encrypted with TLS, those data streams can’t be decrypted yet—but it’s very likely that this will be possible in the future.”
The idea of “crypto agility” is central here. It’s all about building software with the flexibility to swap out or update encryption methods as new vulnerabilities or improvements come to light. Yet, many developers have found themselves short of the required expertise to manage these changes without disruption.
Another issue is that many cryptographic tools come from open-source libraries maintained by small, dedicated teams. While these libraries save time by offering ready-to-use solutions, they can become weak links if they aren’t kept up to date, potentially exposing multiple applications to security risks.
Krause’s interviews also highlighted a common frustration: news about critical updates often trickles in through unofficial channels like blogs and social media. This piecemeal stream of information leaves developers without a solid process for managing updates, which can complicate the task of keeping software secure.
The key takeaway? There’s a noticeable gap between cutting-edge cryptographic research and everyday development practices. By improving how new findings are shared, the community can better equip developers to tackle these challenges head on.
