https://www.secdev.uk/blog/tags/cwe-330/ Recent content in CWE-330 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 01 Mar 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-03-01-cryptographic-failures-that-pass-code-review/ Sat, 01 Mar 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-03-01-cryptographic-failures-that-pass-code-review/ <p>Cryptographic code is uniquely dangerous, and it&rsquo;s one of the areas I find most challenging to review. The reason is simple: it can be completely wrong and still appear to work perfectly. A broken hash function still produces a hash. A weak cipher still encrypts and decrypts. A predictable random number generator still generates numbers. The application runs, tests pass, and the vulnerability sits quietly until an attacker exploits it. In this post, I want to walk through the cryptographic failures that routinely survive code review across Python, Java, Go, and Rust, from the obvious use of MD5 to the subtle misuse of otherwise strong primitives.</p>