Read as
Why this module exists. Application-level cryptography is where well-intentioned developers introduce critical vulnerabilities — rolling their own crypto, using ECB mode, hardcoding IVs, choosing wrong primitives. This module covers the common mistakes and the modern crypto APIs that make safe defaults easy.
Why this module exists. Cryptographic primitives have safe defaults that produce safe outcomes if used correctly. Developers who deviate — even with good intentions — introduce subtle but catastrophic bugs. This module is the practitioner safety pattern.
The cardinal rule — use high-level APIs
Cryptographic library design has converged on high-level APIs that hide the safe-defaults from the user:
- libsodium:
crypto_secretbox,crypto_box,crypto_sign. Picks primitives, modes, nonce generation correctly. - Tink (Google): AEAD, MAC, signature. Versioned key management built in.
- NaCl / TweetNaCl: similar API family as libsodium.
- cryptography (Python): high-level recipes (Fernet for AEAD) + lower-level primitives.
If your application code uses cipher.encrypt directly with mode parameters, you are in low-level API territory; mistakes are easier.
Need a real pentest?
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.
Book VAPT scoping call
Replies in 4 working hrs · India-only · Senior consultants