Cryptosense is a software company. We provide a tool that automates cryptography lifecycle management called Cryptosense Analyzer Platform (CAP).
Our customers are mainly large organizations that have complex IT infrastructure and strict compliance obligations, such as financial services firms, technology companies and banks.
CLM is a combination of technologies and practices that allow an organization to control the ways that cryptography is used throughout their applications and infrastructure. At its heart is a dedicated CLM tool, where cryptography usage information is gathered, analytics are produced, and automated actions triggered. Cryptosense Analyzer Platform (CAP) is the leading CLM software, trusted by global banks, financial services firms and technology companies worldwide.
When perfectly implemented and maintained, cryptography provides security we can rely on. However, tiny errors in its usage can lead to total loss of protection, and our increasing reliance on cryptography means that these mistakes now carry significant financial and reputational risks. These errors are easy to make and hard to detect.
Any organization that does not have full visibility on exactly how their cryptography is being used and managed is unable to accurately quantify and assess risk. Properly implemented CLM allows you to assess the state of security in your applications and infrastructure at any time, and optimise remediation efforts when required.
CAP is an analysis platform that takes input from a number of agents and combines the results to provide 360° visibility on the cryptography that secures your sensitive data.
CLM gives the security team visibility on all the encryption, signature and other operations they are using every time a user is authenticated, code is signed, a network security transaction occurs, or cryptography is used anywhere for any purpose; as well as the keys, certificates and data involved. It allows instant analysis of this information for security and compliance, and the ability to take action smoothly to change the way cryptography is used.
Cryptosense is built on academic research and a fierce determination to provide the best technical solution on the market. We’re proud to be transparent about exactly what our tool does and how it works.
CAP consists of:
Results are correlated in the Analyzer platform to provide a comprehensive inventory. All scans and traces are centralized in a CAP server which can be used in SaaS or installed on-premise.
CAP’s lightweight application tracer agent sits inside a running application and records all the calls the app makes to its cryptographic libraries. See https://docs.cryptosense.com/traces/ for more information.
It allows us to give you better insights. Plenty of tools scan filesystems for certificates, but only CAP can also trace inside applications to show you which ones are used, and what they are used for.
Our adaptive mutation-based fuzzing engine explores the corner-cases of the PKCS#11 standard as implemented in the device under test. The results are passed through more than 100 compliance and vulnerability filters to detect anomalies and weaknesses.
CAP has a full GraphQL API allowing easy integration with other tools
No. CAP’s Application Tracer agent sees 100% of calls to crypto libraries in a running application, without needing access to source code.
The analysis platform (Analyzer) hosts the reporting web application. It is available in SaaS hosted in our cloud or as a completely self-contained virtual machine licensed for use on-premises.
In an on-premise deployment, the minimum number of applications covered is 50. The investment per application depends on the number of applications in scope. In SaaS, the minimum number of applications covered is 1.
Definitely. CAP works best when it’s deployed in DevOps.
The Java tracing agent is OS-independent. The .NET tracer runs on .NET core or .NET framework. The filesystem scanner runs on Unix or Windows platforms. The OpenSSL tracer works on Linux for dynamically-loaded OpenSSL libraries. Further tracer coverage is on the roadmap including Python, JS/Node.js and Go.
Yes. Cryptosense has integrations for the big 3 cloud providers and includes tracing of KMS operations and details of the KMS keys referenced in reports, giving visibility e.g. on data keys used in storage encryption and their relationship to master keys.
Yes, CAP can trace applications running in containers and it can also scan container images without running them.
Yes. All data in CAP instances can be queried through the GraphQL API, and the data collected centrally in any standard data analytics tool like Splunk or ELK.
Yes, CAP can trace COTS or legacy applications without requiring access to their source code.
There are no particular requirements for the VM in terms of CPU power, though more powerful instances will produce reports faster. Disk space depends on the number of applications to be tested, since the traces will be stored on the disk in the on-premises version. Traces can be quite large (e.g. 2-5 GB for large web applications and extensive testing).
No, the VM can be run completely internally. On-premise customers receive all updates to the rule base just like SaaS customers. These updates are made available on our servers in the form of Debian/Red Hat packages every quarter, which on-premises customers can download and apply to their Analyzer VM. No data is ever sent from the Analyzer VM to Cryptosense or elsewhere.
The Analyzer VM runs on Linux using Python/Flask for the web application and OCaml for the analysis engine. We supply packages for Debian and for Red Hat Linux/CentOS.
We have a security policy document that describes in detail the measures we take. In general, we follow best practices for web development including making use of up to date and well-tested frameworks and libraries, paying attention to source code management and using a modern CI process, specific measures around attack vectors such as injection, cross site scripting and authorisation bypass, and having third parties carry out grey-box pen-tests. Traces are uploaded to the server under TLS encryption.
CAP is currently hosted on Amazon Web Services, but we can create on-demand instances elsewhere to suit customer compliance requirements.
CAP software contains an extensive parser for x.509 certificates and detects all formats including der or pem, encrypted or unencrypted certificates: PKCS#12 ( .p12, pfx), PKCS*7 (.p7b, .p7c, .p7), PEM (.cer, .crt, .der, .pem).
CAP scans both on filesystems, and while dynamically tracing applications. The filesystem scanner detects encrypted keystores even if it cannot decrypt them. The CAP application tracer can also detect certificates inside the encrypted keystore if the application loads it.
CAP can detect different certificate stores such as Java key stores (.jck, .jks, .cacerts, .jceks) In addition, CAP's filesystem scanner can parse the certificates inside JKS, CACERTS and JCEKS keystores even without the keystore password.
Yes, CAP can identify certificate usage from the appropriate usage attributes in the x.509 certificate, and in addition, CAP application tracers can see exactly what operations certificates are used for inside applications.
Yes.
Yes, we are a Venafi development partner and have a native integration that allows exchange of data in both directions, i.e. enriching of the CAP inventory scans with certificate data from Venafi TPP, and sending of orphaned certificates detected in CAP scans to Venafi TPP.
CAP combines static scanning with dynamic tracing to identify hard-coded keys and eliminate false positives.
Yes. CAP detects default passwords and unencrypted private keys on filesystems. Additionally, CAP also evaluates the security of every keystore credential used by the application, giving an estimation for the computational resources that would be required to break into that specific keystore type with that credential leveraging the latest Hashcat benchmarks.
Yes.
Yes. CAP application tracers report all the calls made to cryptographic libraries, including identifying the algorithms used. CAP static scanners find calls to particular library interfaces which in many cases can also identify the algorithm used.
The type of cryptography inventory that CAP collects, which includes details on how cryptography is called and what it is used for rather than a simple list of algorithms, conforms to what the NIST ‘Getting Ready for Post Quantum Cryptography’ guide prescribes as the kind of actionable inventory that allows playbook preparation for post-quantum migration.
We believe that true cryptographic agility comes not from switching algorithms in a library, but from having a continuously up-to-date and complete view of the entire call stack that is using cryptography across applications. This means that when a cryptographic algorithm needs to be changed, we already know what the consequences will be for the rest of the application and can plan and monitor the transition in CI as the application changes.
No. Without full visibility on the entire cryptography ecosystem, switching algorithms will cause time-outs, data field overflows, key-storage issues, etc. This applies particularly to the transition to post-quantum or hybrid post-quantum/classical cryptography, which will introduce new limitations in terms of large key sizes, performance constraints, additional operations in protocols and so on.
Yes. The Cryptosense approach to crypto-agility is to build a continuous cryptography inventory that stays up to date thanks to its integration into the DevOps toolchain for in-house applications and with business-as-usual scanning tools for other points in the infrastructure. This inventory is queryable via the GraphQL interface allowing immediate, actionable intelligence on where and how algorithms are being used facilitating a coherent crypto-agility programme.
Yes. Tracers can be deployed at scale leveraging DevOps management tools, such as CI managers Jenkins and GitHub actions, build engines like Gradle and Maven, etc. Scaled-up use of the filesystem scanner can be facilitated with tools like Tanium. The collection and organisation of large amounts of data is accommodated by the platform that features customizable data retention rules, and multiple levels of hierarchy (slots, projects, and organisations) for structuring scan results and producing statistical summaries.
Yes. CAP allows policies to be defined for the whole organisation or for specific sets of applications. There are a number of pre-set policies available, including FIPS, PCI-DSS and ENISA policies, as well as a full capability to create customized policies for your organization.
A Cryptosense Analyzer Platform subscription includes the Analyzer platform, plus all the scanning and tracing agents. It also includes software updates, maintenance and support.
Yes. Depending on your needs we can provide a package of services and training to help you get the most out of your subscription.
The price depends on the number of applications in scope for the deployment, with degressive pricing for large numbers of applications. Testing and analysis are unlimited for identified applications during the license period. The user can deploy one or several instances, depending on their IT infrastructure and size. The number of instances does not influence pricing.
Contact our team to discuss your project and get a quote for your deployment.