Industrial Strength Static Detection for Cryptographic API Misuses

We describe our experience of building an industrial-strength cryptographic vulnerability detector, which aims to detect cryptographic API misuses in Java ^{TM 1 1} Java is a registered trademark of Oracle and/or its affiliates.. Based on the detection algorithms of the academic tool CryptoGuard, we integrated the detection into the Oracle internal code scanning platform Parfait. The goal of the Parfait-based cryptographic vulnerability detection is to provide precise and scalable crypto-graphic code screening for large-scale industrial projects. We discuss the needs and challenges of the static cryptographic vulnerability screening in the industrial environment.