Using Cryptosense Analyzer for Automated Pen-Testing
Use Cryptosense Analyzer to perform an automated, systematic penetration test of the cryptographic API of your HSMs. This can be scheduled to take place regularly for Cloud HSMs, or applied as part of a procurement or deployment process to on-prem HSMs.
The advantages of using Cryptosense Analyzer for an automated penetration test are:
Repeatability. Cryptosense Fuzzer and Analyzer can be configured to produce a standard level of testing. Identified risks for which there are existing mitigating controls can be ignored. Users can iterate the testing to find a secure configuration using the options provided by the HSM manufacturer.
Clarity. The findings in Cryptosense Analyzer are explained for non-expert users of HSMs, to help in understanding what the PKCS#11 standard interface is supposed to keep secure, and what is is actually doing in case of a vulnerable configuration.
Speed. Time to get a satisfactory penetration-test depends somewhat on the speed of the HSM, but typically 24 hours of fuzzing is enough to get a solid set of results.
State of the art coverage. Our vulnerability research teams work in close co-operation with the best applied crypto groups in academia and industry on new ways to attacks cryptographic APIs.
Cryptosense Analyzer is always updated to take the latest results into account. Additionally, our extensive experience testing many models of HSM, means that our fuzzer knows where to look to find new anomalies that may be exploited.