"That's my perspective from 30 years of doing this": An Interview Study on Practices, Experiences, and Challenges of Updating Cryptographic Code
Alexander Krause
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · Software Security and Usable Security
Alexander Krause from SISPA presented a seminal study at USENIX Security, delving into the critical yet often overlooked domain of cryptographic code updates. Titled "That's my perspective from 30 years of doing this," the research highlights the profound complexity and long-term commitment required to maintain secure cryptographic implementations in software. This work addresses a significant gap in software security research by investigating the human and organizational factors that influence how developers manage these updates in practice, moving beyond the traditional focus on cryptographic algorithm design or implementation flaws.
AI review
Legitimate academic research filling a real gap — qualitative study on the human/organizational side of crypto updates is underexplored and the PQC timing makes it genuinely relevant. But this is a conference paper presentation, not a deep technical talk, and the substance is mostly what you'd expect: developers improvise, documentation is bad, legacy systems are a pain, expertise is scarce. Solid work, honest methodology, but not a talk that will rewire how defenders operate.