During the past 7 years, Kevin has examined how cryptography has been used in close to 200+ different projects from a security risk perspective. This includes 85+ design reviews and a 100+ secure code reviews (mostly Java with some C/C++ and C# thrown in for good measure) performed for two different companies. That includes both proprietary code of these 2 companies, proprietary vendor code reviewed under NDAs, as well as some FOSS code. This talk explores the most commonly observed applied cryptography mistakes made by developers during that 7 year window and briefly describes how to correct them.