Why Cryptosense is an IAST Tool

Graham Steel
November 13, 2018

There are several kinds of tool for testing applications for security vulnerabilities: Static Analysis Security Testing (SAST) looks at source code or compiled binaries and searches for patterns that suggest an issue. Dynamic Application Security Testing (DAST) tools test running code by sending inputs (typically to endpoints in a web application) and observing evidence of vulnerabilities.

At Cryptosense, we wanted to build a tool that would effectively identify and help fix vulnerabilities related to cryptography - something no other tool makes a good job of. We quickly realised that we would have to be able to test both code written by our users (to check the way it calls cryptographic libraries), the cryptographic libraries themselves (to look for known issues), framework components and dependencies (that are often using cryptography in insecure ways) and some kinds of behaviour that can only be observed at run-time (like key values loaded from keystores, passwords in configuration files, random number generators..).

Neither SAST nor DAST allow you to do all this - SAST does not see run-time aspects and DAST only sees the cryptography from the exterior of the application.

That's why we built an IAST (Interactive Application Security Testing) tool, i.e. we instrument an application while it's running to see all the cryptographic operations, and analyse these to detect crypto vulnerabilities.Some IAST tools are very heavy to deploy and typically only get used once the application is in late testing, in the SIT or UAT stage. Finding a crypto security issue at this stage is a big headache, so we designed Cryptosense Analyzer to be deployable much earlier in the development lifecycle, as soon as you have some running code.

We worked hard on our instrumentation to minimise performance impact by simply recording a log of cryptographic details while the application runs. This trace is then uploaded to our Analyzer server, either using our Rest API, a CI plugin for e.g. Maven, Gradle or Jenkins, or interactively using our web interface. Because the instrumentation is so light and efficient, there are no stability issues. Analyzer can be deployed in integration tests or even in unit testing to catch errors as early as possible.

Most of our users combine Cryptosense Analyzer with analysis from several tools including SAST and tools to test code quality or the presence of vulnerable open-source components. This kind of combination is made easy by our Rest API. Get in touch for a demo.