Evaluate Cryptographic Security of Java Applications
Java business applications use cryptography extensively, to store passwords, encrypt database fields, communicate with servers and clients using TLS, and implement web application protocols.
Modern developments combine off-the-shelf components, web application frameworks, in-house implementations, open-source libraries, third party code and legacy systems. Calls to crypto APIs can come from all of these. How can the Application Security team obtain visibility on the cryptography used and assess its security?
Our Analyzer software is designed to address this problem. It combines a Java Agent, the Cryptosense App Tracer, that attaches itself to the JVM to make a trace of crypto calls, and an analysis engine, the Analyzer, that applies crypto usage rules to the resulting trace.
How it works
Cryptosense App Tracer attaches to the JVM running the application and traces application calls to crypto libraries, without needing access to source code. Can be used in development, staging or penetration tests.
Traces are uploaded to our analysis server, in the cloud or in house, and run through our security analysis algorithms derived from the latest academic results and Cryptosense’s own vulnerability research.
Results include links to stacktraces for fast debugging and compliance analysis to ENISA, NIST, PCI-DSS or a custom crypto policy.
Includes remediation and specific fixes for popular frameworks and libraries.