Cryptosense Analyzer

Evaluate Cryptographic Security of Java Applications

Java business applications use cryptography extensively, to store passwords, encrypt database fields, communicate with servers and clients using TLS, and implement web application protocols.

Modern developments combine off-the-shelf components, web application frameworks, in-house implementations, open-source libraries, third party code and legacy systems. Calls to crypto APIs can come from all of these. How can the Application Security team obtain visibility on the cryptography used and assess its security?

Our Analyzer software is designed to address this problem. It combines a Java Agent, the Cryptosense App Tracer, that attaches itself to the JVM to make a trace of crypto calls, and an analysis engine, the Analyzer, that applies crypto usage rules to the resulting trace.

 

How it works

tracing

1. Tracing

Cryptosense App Tracer attaches to the JVM running the application and traces application calls to crypto libraries, without needing access to source code. Can be used in development, staging or penetration tests.

analysis

2. Analysis

Traces are uploaded to our analysis server, in the cloud or in house, and run through our security analysis algorithms derived from the latest academic results and Cryptosense’s own vulnerability research.

remediation

3. Remediation

Results include links to stacktraces for fast debugging and compliance analysis to ENISA, NIST, PCI-DSS or a custom crypto policy.
Includes remediation and specific fixes for popular frameworks and libraries.

 

For more information download the Cryptosense Analyzer brochure, find out about our evaluation pack or request a trial.

 

Java crypto security whitepaper

Covers JCE and BouncyCastle, key-management vulnerabilities, flaws in encryption and signature modes, randomness problems, insecure interactions between crypto operations and more.