CAP consists of:
Results are correlated in the Analyzer platform to provide a comprehensive inventory. All scans and traces are centralized in a CAP server which can be used in SaaS or installed on-premise.
No. CAP’s Application Tracer agent sees 100% of calls to crypto libraries in a running application, without needing access to source code.
The analysis platform (Analyzer) hosts the reporting web application. It is available in SaaS hosted in our cloud or as a completely self-contained virtual machine licensed for use on-premises.
In an on-premise deployment, the minimum number of applications covered is 50. The investment per application depends on the number of applications in scope. In SaaS, the minimum number of applications covered is 1.
Definitely. CAP works best when it’s deployed in DevOps.
The Java tracing agent is OS-independent. The .NET tracer runs on .NET core or .NET framework. The filesystem scanner runs on Unix or Windows platforms. The OpenSSL tracer works on Linux for dynamically-loaded OpenSSL libraries. Further tracer coverage is on the roadmap including Python, JS/Node.js and Go.
Yes. Cryptosense has integrations for the big 3 cloud providers and includes tracing of KMS operations and details of the KMS keys referenced in reports, giving visibility e.g. on data keys used in storage encryption and their relationship to master keys.
Yes, CAP can trace applications running in containers and it can also scan container images without running them.
Yes. All data in CAP instances can be queried through the GraphQL API, and the data collected centrally in any standard data analytics tool like Splunk or ELK.
Yes, CAP can trace COTS or legacy applications without requiring access to their source code.
There are no particular requirements for the VM in terms of CPU power, though more powerful instances will produce reports faster. Disk space depends on the number of applications to be tested, since the traces will be stored on the disk in the on-premises version. Traces can be quite large (e.g. 2-5 GB for large web applications and extensive testing).
No, the VM can be run completely internally. On-premise customers receive all updates to the rule base just like SaaS customers. These updates are made available on our servers in the form of Debian/Red Hat packages every quarter, which on-premises customers can download and apply to their Analyzer VM. No data is ever sent from the Analyzer VM to Cryptosense or elsewhere.
The Analyzer VM runs on Linux using Python/Flask for the web application and OCaml for the analysis engine. We supply packages for Debian and for Red Hat Linux/CentOS.
We have a security policy document that describes in detail the measures we take. In general, we follow best practices for web development including making use of up to date and well-tested frameworks and libraries, paying attention to source code management and using a modern CI process, specific measures around attack vectors such as injection, cross site scripting and authorisation bypass, and having third parties carry out grey-box pen-tests. Traces are uploaded to the server under TLS encryption.
CAP is currently hosted on Amazon Web Services, but we can create on-demand instances elsewhere to suit customer compliance requirements.
Yes. The Cryptosense approach to crypto-agility is to build a continuous cryptography inventory that stays up to date thanks to its integration into the DevOps toolchain for in-house applications and with business-as-usual scanning tools for other points in the infrastructure. This inventory is queryable via the GraphQL interface allowing immediate, actionable intelligence on where and how algorithms are being used facilitating a coherent crypto-agility programme.
CAP is a complete cryptography management platform. By combining analysis of cryptography throughout your infrastructure it gives you powerful insight into how you use cryptography with multiple business benefits.download