Enhancing CryptoGuards Deployability for Continuous Software Security Scanning

TL;DR

This paper improves CryptoGuard, a Java static analysis tool, by enhancing its deployability, usability, and accessibility through new features like source and compiled code scanning, live documentation, and cloud support, while also analyzing developer practices.

Contribution

The work introduces extensions to CryptoGuard for better deployment and usability, including source and compiled code analysis, cloud support, and developer practice surveys.

Findings

CryptoGuard now supports source and compiled code scanning.

Created live documentation and build tool plugins for CryptoGuard.

Surveyed over 50,000 developers on Java security practices.

Abstract

The increasing development speed via Agile may introduce overlooked security steps in the process, with an example being the Iowa Caucus application. Verifying the protection of confidential information such as social security numbers requires security at all levels, providing protection through any connected applications. CryptoGuard is a static code analyzer for Java. This program verifies that developers do not leave vulnerabilities in their applications. The program aids the developer by identifying cryptographic misuses such as hard-coded keys, weak program hashes, and using insecure protocols. In my Master's thesis work, I made several important contributions to improving the deployability, accessibility, and usability of CryptoGuard. I extended CryptoGuard to scan source and compiled code, created live documentation, and supported a dual cloud and local tool-suite. I also created build tool plugins and a program aid for CryptoGuard. In addition, I also analyzed several Java-related surveys encompassing more than 50,000 developers and reported interesting current practices of real-world software developers.