Java is probably the most widely-used programming language in the world. It certainly powers a large proportion of business applications. A million lines of code is a realistic codebase size. These applications use plenty of cryptography, to store passwords, encrypt database fields, communicate using TLS, and so on, often via the Java JCE/JCA crypto API. Many of them were first written a decade or more ago, so how secure is their crypto?
Our Java App Tracer software is designed to help address this problem. It consists of a Java Agent that attaches itself to the JVM to make a trace of crypto calls, and an analysis engine that applies crypto usage rules to the resulting trace. This short demo video shows it in action. You can choose which rules you want to apply and filter on particular packages of interest. If source code is available, findings link straight back to the specific line of code where the call was made.
We’re currently rolling out the Java App Tracer with a number of pilot clients. To find out more, get in touch.