In a 2014 article “Why does cryptographic software fail?”, Lazar et al. took the most recent 269 CVEs marked as “cryptographic issues” and classified the site of the failure. While 17% of the failures were in crypto libraries, 83% were in the way the applications use the libraries. Up until now, Cryptosense Analyzer for Java applications only treated the 83%. Today that’s changing as we’ve added provider vulnerability testing.
Google recently announced a project to produce tests for cryptographic libraries to detect common weaknesses. Piloted by star cryptographers Daniel Bleichenbacher and Thai Duong, this is an exciting development for us at Cryptosense, and not just because they cite our CRYPTO ’12 paper in their RSA tests. It’s a validation of the prevalence and seriousness of security flaws around crypto use, and the need to detect them, which is exactly our mission at Cryptosense.