Addressing post-quantum cryptography with CodeQL

Quantum computing, once a concept reminiscent of science fiction, has emerged as a significant focus in cryptography due to its potential to undermine traditional security measures. A collaboration among GitHub, Santander, and Microsoft researchers has explored the implications of post-quantum cryptography, aiming to develop systems resilient to quantum and classical computing. To address the challenges posed by massive codebases and complex cryptographic implementations, the team used CodeQL and multi-repository variant analysis to scale their efforts across numerous repositories, facilitating the creation of a Cryptography Bill of Materials (CBOM). This CBOM helps organizations understand and manage cryptographic software components within their systems. The process involves leveraging CodeQL’s custom queries to model cryptographic concepts and scale analysis, promoting cryptographic agility by preparing organizations for a quantum-safe future. The team's findings, including practical strategies for instilling cryptographic agility, will be presented at Black Hat Europe 2023, offering further insights into maintaining security amidst the rise of quantum computing.