[rubendev]

Yes it’s an audit checklist for when you need to know specifically what to use and with which parameters.

It’s unfortunate if there are mistakes in there. The people at OWASP would be very happy to receive feedback on their GitHub I’m sure.

[tptacek]

It's a bad audit checklist! If OWASP volunteers can't do a good one, they should just not do one at all. It's fine for them not to cover things that are outside their expertise.

[rubendev]

Which one would you recommend instead? Referring dev teams to NIST standards or the like doesn’t work well in my experience.

[tptacek]

There doesn't always have to be a resource. Sometimes no resource is better than a faulty one. Cryptography is one of those cases.