Java is probably the most widely-used programming language in the world. It certainly powers a large proportion of business applications. A million lines of code is a realistic codebase size. These applications use plenty of cryptography, to store passwords, encrypt database fields, communicate using TLS, and so on, often via the Java JCE/JCA crypto API. Many of them were first written a decade or more ago, so how secure is their crypto?
Our Cryptosense Analyzer is designed to help address this problem. It consists of a Java Agent that attaches itself to the JVM to make a trace of crypto calls, and an analysis engine that applies crypto usage rules to the resulting trace. This short demo video shows it in action. You can choose which rules you want to apply and filter on particular packages of interest.