Suppose you’re looking at a tool or library that uses cryptography. At this point in time, the majority of developers unfortunately don’t have the skill set required to use cryptography securely. With that in mind, how can you tell whether or not this tool is safe to use?

There are a number of “red flags” that I use to quickly get a sense of the author’s familiarity with cryptography. If I spot any of them, I know that this software isn’t safe to use, and I move on to the next option.

This is a heuristic that I use to help estimate the author’s proficiency with cryptography. Some red flags do not indicate vulnerabilities themselves – instead, they indicate with high probability that serious problems lurk elsewhere in the code.

Here’s a non-exhaustive list of red flags:

It’s important to note that the absence of red flags does not at all indicate security. This is just my “fizzbuzz” for crypto code, which helps me to decide for or against further investigation.