April 26, 2022
First revealed on Neil Madden’s blog, CVE-2022-21449 is a bug in recent releases of the Java runtime that allows an attacker to bypass signature verification in widely-used ECDSA. POCs exploiting the vulnerability show how, for example, to impersonate Google as a TLS server.
Read Article ->September 20, 2019
Containers are often designed to be stateless. That means all state changes made by the application happen in the database, or some external storage. They don't happen on the container filesystem...
Read Article ->June 20, 2019
As well as treating applications in Java and .NET, Cryptosense Analyzer can also check the cryptographic security of PKCS#11 implementations in HSMs and elsewhere. We recently added a few of improvements requested by our users.
Read Article ->January 8, 2019
Modern versions of IAST (like ours) can detect flaws even when the application is executing standard functional tests - there is no need to simulate attacks. This enables these tools to be deployed early in the development lifecycle and integrated into CI toolchains. However, there's one key feature that doesn't figure on most IAST checklists: coverage checking...
Read Article ->December 7, 2018
Amazon Simple Storage Service (S3) is one of the most widely-used cloud services. Most users of the service know it's wise to encrypt sensitive data before storing it in S3. In this post we'll look at how to do that securely using the AWS Java SDK, and how Cryptosense Analyzer will help you spot if you've done it wrong...
Read Article ->November 13, 2018
At Cryptosense, we wanted to build a tool that would effectively identify and help fix vulnerabilities related to cryptography - something no other tool makes a good job of...
Read Article ->December 21, 2016
Google recently announced a project to produce tests for cryptographic libraries to detect common weaknesses. Piloted by star cryptographers Daniel Bleichenbacher and Thai Duong, this is an exciting development for us at Cryptosense, and not just because they cite our CRYPTO '12 paper in their RSA tests.
Read Article ->October 3, 2016
PrimeKey Solutions develops and supports the most downloaded open source enterprise public-key infrastructure (PKI) software available, EJBCA. You can find out why they use Cryptosense Analyzer for Java in a case study we're releasing today...
Read Article ->May 31, 2016
The new version (3.2) of the PCI DSS compliance requirements for the payment card industry was released a few weeks ago. While the PCI definition of strong cryptography remains unchanged, the new version contains some other interesting new measures around secure use of cryptography
Read Article ->May 19, 2016
As trailed back in September 2015, Google are turning off SSLv3 and RC4 support from their TLS servers. For the vast majority of people, this will have no noticeable impact at all. However, there is one place where the deprecated protocol and insecure cipher still lurk: mailservers. In particular, according to the google blog post, "inbound/outbound gateways, third-party emailers, and systems using SMTP relay."
Read Article ->February 14, 2016
National and international standards bodies like NIST, ENISA and PCI already make recommendations about key-lengths and algorithms, so why write another set? At Cryptosense we've been working on a simple web-based tool to discover external-facing crypto services, and we needed a pragmatic set of best-practice standards for evaluating the results. If we used the ENISA "future application" standards, for example, pretty much the whole Internet would get an F.
Read Article ->August 7, 2014
A tracer is a simple but important tool for auditing crypto security that allows the analyst to see the calls made by an application to a crypto interface. This is especially useful if the application and/or the crypto provider are only available in binary or black-box form (e.g. an HSM), but the crypto API is known. Even if source code is available, a simple tracer can save a lot of time compared to instrumenting code or manually setting trace points.
Read Article ->