Crypto Audit for Applications
Use Cryptosense Analyzer to audit your applications and infrastructure, understand your crypto landscape, and optimise bug-fix resources.
What does Cryptosense Analyzer do?
1. Finds security flaws related to the use of cryptography in applications.
2. Shows you how to fix these flaws.
3. Helps you demonstrate how secure your applications are to vendors/QA.
Business applications use cryptography extensively: to store passwords, encrypt database fields, communicate with servers and clients using TLS, and implement web application protocols.
However, modern developments are susceptible to crypto flaws because of their complexity; they often combine off-the-shelf components, web application frameworks, in-house implementations, open-source libraries, third party code and legacy systems.
How do I use it?
Cryptosense Analyzer is an analysis platform that analyses trace files. To make a trace file you attach Cryptosense App Tracer or Cryptosense Library Fuzzer to a running application which records calls to the crypto library. The resulting trace file is then uploaded to the Cryptosense Analyzer platform where we apply our proprietary analysis algorithms and check the trace against our unique rule base.
Cryptosense App Tracer sees 100% of calls to crypto libraries in a running application, without needing access to source code. To test libraries, we replace the application with our proprietary fuzzing engine: Cryptosense Library Fuzzer.
Our last 5 deployments averaged 868 instances per application across 9 different findings, with more than 8 findings being classed as high or medium criticality. We found less than 1 false positive.
How can I get Cryptosense Analyzer?
Cryptosense Analyzer is available in SaaS edition or as an on-premise installation. Licensing is by annual subscription, per application. More information on SaaS pricing is available here. For a quote for an on-premise installation please get in touch.
Which APIs do you support?
– Java (JCE/JCA and Bouncycastle low level interface)
– OpenSSL (libssl and libcrypto)
– NET is in development
How do I know if I need to use Cryptosense Analyzer?
If you’re not sure how much crypto is in your applications, you can use our (free) Cryptosense Analyzer Static Scanner tool to scan code for calls to crypto functions. It can be used to find out how much crypto is called in an application, or to evaluate the degree to which a trace recorded by our agents covers all the crypto in an application.
What types of flaws can Cryptosense Analyzer find?
– Incorrect choice of parameters to crypto functions
– Inappropriate combinations of crypto operations
– Incorrect use of randomness
– Weak cryptographic keys
– Weak passwords
– Weak password-based key deriviation
– Key management vulnerabilities
– Inappropriate key-lengths and group parameters
– Weak cryptographic algorithms
– Implementation vulnerabilities in cryptographic libraries
I’m not a crypto expert, will I understand the results?
We provide extensive support and detailed documentation to help you get the most from your analysis. Cryptosense Knowledge Base is a rich source of detailed information about Symmetric and Asymmetric Algorithms, Padding Modes, Crypto Attacks and Key Management. Request a demo to see a typical Analyzer output.