On the third of July, I discussed Google’s Web vulnerability scanner, RatProxy — and the fact that Google released it under an open source license. Now, Google’s at it again. A post to the Google Online Security Blog yesterday announced that Keyczar has been released under an open source license.

The Keyczar Website describes it as:

an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications

The license terms for Keyczar are those of the Apache 2.0 license, the same Copyfree, Free Software, and Open Source license used for RatProxy.

Keyczar offers simple Java and Python APIs, and a C++ API is promised. Usage code examples in both Java and Python are extremely simple, living up to the promise of “a simple API”.

As the Keyczar homepage puts it:

Cryptography is easy to get wrong. Developers can choose improper cipher modes, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple programming interface.

Keyczar is designed to be open, extensible, and cross-platform compatible. It is not intended to replace existing cryptographic libraries like OpenSSL, PyCrypto, or the Java JCE, and in fact is built on these libraries.

In short, Google is doing things right with regard to security software development. In my 22 May article, Not Invented Here has no place in open source development, I discussed in brief how isolated development leads to flawed security software. Needless reinvention is an all too common way for people to create security vulnerabilities where they didn’t exist before.

I’m increasingly encouraged by evidence of Google’s commitment to improving the selection of security tools available, and I look forward to more from the Google Security Team.