Cryptosense FAQ 


What does CAP consist of?

CAP consists of:

  1. The Analyzer Platform which also hosts the reporting web application, available in SaaS hosted in our cloud or as a completely self-contained virtual machine licensed for use on-premises.
  2. Application Tracer (Java, .Net, OpenSSL)
  3. Network Scanner (TLS, STARTTLS, SSH)
  4. Filesystem Scanner (filesystems & containers)
  5. HSM scanner (PKCS#11)

Results are correlated in the Analyzer platform to provide a comprehensive inventory. All scans and traces are centralized in a CAP server which can be used in SaaS or installed on-premise. 

Does CAP need access to source code?

No. CAP’s Application Tracer agent sees 100% of calls to crypto libraries in a running application, without needing access to source code.

How is CAP deployed?

The analysis platform (Analyzer) hosts the reporting web application. It is available in SaaS hosted in our cloud or as a completely self-contained virtual machine licensed for use on-premises.

What is the minimum number of applications for a deployment?

In an on-premise deployment, the minimum number of applications covered is 50. The investment per application depends on the number of applications in scope. In SaaS, the minimum number of applications covered is 1.

Does CAP integrate in my DevOps toolchain?

Definitely. CAP works best when it’s deployed in DevOps.

What operating systems do CAP agents run on?

The Java tracing agent is OS-independent. The .NET tracer runs on .NET core or .NET framework. The filesystem scanner runs on Unix or Windows platforms. The OpenSSL tracer works on Linux for dynamically-loaded OpenSSL libraries. Further tracer coverage is on the roadmap including Python, JS/Node.js and Go.

Can CAP analyze cryptographic operations carried out inside public cloud providers?

Yes. Cryptosense has integrations for the big 3 cloud providers and includes tracing of KMS operations and details of the KMS keys referenced in reports, giving visibility e.g. on data keys used in storage encryption and their relationship to master keys.

Does CAP scan containers?

Yes, CAP can trace applications running in containers and it can also scan container images without running them.

Does CAP support central data collection?

Yes. All data in CAP instances can be queried through the GraphQL API, and the data collected centrally in any standard data analytics tool like Splunk or ELK.

Can CAP run on COTS or legacy applications without need to recompile them?

Yes, CAP can trace COTS or legacy applications without requiring access to their source code.

What are the requirements for the on-premise VM?

There are no particular requirements for the VM in terms of CPU power, though more powerful instances will produce reports faster. Disk space depends on the number of applications to be tested, since the traces will be stored on the disk in the on-premises version. Traces can be quite large (e.g. 2-5 GB for large web applications and extensive testing).

Does the VM need to communicate with a server in the cloud?

No, the VM can be run completely internally. On-premise customers receive all updates to the rule base just like SaaS customers. These updates are made available on our servers in the form of Debian/Red Hat packages every quarter, which on-premises customers can download and apply to their Analyzer VM. No data is ever sent from the Analyzer VM to Cryptosense or elsewhere.

What technologies is the VM based on?

The Analyzer VM runs on Linux using Python/Flask for the web application and OCaml for the analysis engine. We supply packages for Debian and for Red Hat Linux/CentOS.

How secure is the SaaS version of CAP?

We have a security policy document that describes in detail the measures we take. In general, we follow best practices for web development including making use of up to date and well-tested frameworks and libraries, paying attention to source code management and using a modern CI process, specific measures around attack vectors such as injection, cross site scripting and authorisation bypass, and having third parties carry out grey-box pen-tests. Traces are uploaded to the server under TLS encryption.

Where is the SaaS version hosted?

CAP is currently hosted on Amazon Web Services, but we can create on-demand instances elsewhere to suit customer compliance requirements.

How does CAP integrate in the Devops toolchain?

Yes. The Cryptosense approach to crypto-agility is to build a continuous cryptography inventory that stays up to date thanks to its integration into the DevOps toolchain for in-house applications and with business-as-usual scanning tools for other points in the infrastructure. This inventory is queryable via the GraphQL interface allowing immediate, actionable intelligence on where and how algorithms are being used facilitating a coherent crypto-agility programme.

Get the CAP Datasheet

CAP is a complete cryptography management platform. By combining analysis of cryptography throughout your infrastructure it gives you powerful insight into how you use cryptography with multiple business benefits.