Cryptosense Analyzer Platform (CAP)
Updated Nov. 17 2021

Cryptosense Analyzer Platform (CAP) and Venafi have a native integration that solves the problem of lost or missing machine identifies by providing full visibility on cryptography use across applications and filesystems, preventing certificate outages and downtime.
Business Outcomes
  • Reduce the risk of outages by ensuring that all in-use certificates are correctly tracked and managed

  • Provide on-demand visibility on certificate use in applications for compliance and audits

  • Simplify operations by avoiding human error including use of hard-coded certificates

Integration Features
  • Filters to add found certificates to Venafi under certain conditions

  • Rules to fail a build if unmanaged certificates are included

  • Register an issue in Jira for an unmanaged certificate using our powerful GraphQL API

  • Alert on any scan containing a certificate that will expire in <3 months without a replacement

Solution Overview

Multiple challenges make it hard for security teams to retain end-to-end visibility on certificate use: self-issued LetsEncrypt or DigiCert certificates used during development and testing may move untracked into production; third-party code is used that includes untracked or hard-coded certificates; new certificates are placed in the wrong store; or the application is not restarted to trigger a store reload.

CAP is a complete cryptography management solution. Its unique technology provides full visibility on cryptography use enterprise-wide, including inside running applications. It traces an application's calls to its cryptographic libraries to discover what cryptography is really being used when the application runs, including which keys and certificates are used. It also scans filesystems and containers to discover where the certificates that are called by running applications are stored. This can be used both to find missing certificates and to understand how the application gets access to them.

CAP now integrates directly with Venafi. Users are able to determine whether certificates in a Cryptosense Analyzer Platform scan are already protected by Venafi or not, and directly submit any missing certificates in order to give security teams the full picture of machine identities in use throughout their organization.

How-it-works

The process starts with an administrator obtaining a Venafi instance URL and access token from the Venafi platform and entering them into CAP's integrations tab. Then: 

  • A CAP user traces an application or scans a file system and uploads the resulting trace to CAP. 
  • They use CAP to generate a report.
  • They click the "populate Venafi GUIDs" button in the certificates tab of the report to look up all certificates in the Venafi inventory.
  • For all certificates already present in Venafi, they can then either click through to the relevant record, or view selected details within CAP.
  • For any certificates not found in the Venafi inventory, they can examine the details and if they wish, upload them to Venafi with a single click.