This summer we’ve updated our guide to crypto security in Java from beginning to end, with new sections on crypto library bugs, frameworks, JDK and Bouncy Castle keystores, and more.
One task our users often want to perform with application crypto audit reports produced by Cryptosense Analyzer is to export certain results in detail for adding to an issue tracker. We’ve now made this easier by adding stars to instances of our analysis rules. Clicking on a star marks an instance for export. You can then export all the starred instances along with full stacktrace information indicating where in the code the issue comes from.
Over the past few months, we’ve been taking a look at the security of applications using the Java crypto API or Java Cryptographic Architecture (JCA), and examining the most commonly-used providers, Oracle JCE and BouncyCastle. Some of the results have been published in previous blog posts. We’ve decided to summarise all our findings in a free whitepaper.
From the intro:
This whitepaper is intended for developers who use, or are considering using, the Java crypto API, and for application security testers who review crypto security. It is not intended to be an introduction to cryptography, but rather a concise guide for readers familiar with crypto basics. We will tour the Java crypto API and explain common mistakes that cause security problems and crop up frequently in real applications.
We hope you find it useful – feedback is welcome. We’ll be updating the document in the future to cover some single sign-on protocol implementations and Java application framework crypto that we’ve been looking at recently, but suggestions for other topics are welcome.