Cryptography Code Discovery and Remediation
Overview
For crypto code discovery, we take an application and some of its source code as input and produce a Cryptography Bill of Materials (CBOM). This CBOM output consists of an inventory of cryptographic assets found in the code.
When thinking about such assets, let’s first understand what does not constitute a cryptography asset. If you examine code that is performing encryption, a cryptography asset is not a call to a cryptographic library. Such an approach would produce a lot of unrelated calls, many with little or no cryptography information or semantics. Instead, cryptographic assets refer to all the related code that together perform a cryptography operation, such as key generation, data encryption, or key encapsulation. We discover those assets by using static analysis on the code, which allows us to identify related cryptography calls and the values of their parameters. Once the cryptography code and vulnerabilities have been identified, we can turn our focus to remediation.
Remediation takes the original code and the results of the discovery phase and produces remediation suggestions, for instances of cryptography misuse as well quantum-safe scenarios. Our approach is to train an AI model for code, and for this purpose we are constructing a large, curated, domain-specific data set. Once the code model is trained, we can provide suggestions for inline code remediation. The user can see the suggestion and easily merge those into the code.
As we continue our efforts to move closer towards cryptography agility and modernization, we’re working on better extracting cryptography out of application code, making the cryptography configurable, and providing automated remediation on a code level.