Optimized open source software improves the development process

Cryptography is the key component of many security functions in software. However, errors can easily occur when using software libraries which provide cryptographic functions. Misuse of the libraries can even jeopardize the security of the software being developed. Together with software manufacturer achelos, Fraunhofer IEM is working on a solution for the proper use of cryptography libraries. The CogniCrypt tool is designed to be integrated at various points in the software development process. It improves the security of the software by ensuring the proper use of cryptography libraries.

CogniCrypt is an open source tool for static code analysis. It provides software developers information about the quality of their program code when it comes to the use of cryptography libraries. Fraunhofer IEM has integrated CogniCrypt at two points in the software development process at achelos: First, in the development environment, to give developers feedback on the misuse of the cryptography library as early as possible. Second, in continuous integration, which allows developers to access an overview of bug fixes over time. This integration has been extensively tested by achelos and has contributed to the continuous development of CogniCrypt. The software was further enhanced in accordance with Technical Guideline 02102-1 of the BSI standard with a ruleset that detects misuse of the most commonly used functions of the Bouncy Castle library (a collection of open-source cryptographic programming interfaces) and avoids security vulnerabilities at an early stage.
The project partners have jointly further developed CogniCrypt and made software development more secure and of higher quality. The current version of CogniCrypt is being used with success at achelos. The software development company's experts are also supported by the tool during code reviews and benefit from verification of properly used application interfaces.