#KEYMASTER: Looking Beyond the CBOM – Building Stronger Cryptographic Posture

Modern organizations rely heavily on cryptography to protect data, systems, and communications. However, simply documenting cryptographic components is no longer enough.

In this #KEYMASTER session, Dr. Vladimir Soukharev, VP of Cryptography at InfoSec Global (part of Keyfactor), explores how organizations should move beyond Cryptographic Bills of Materials (CBOMs) toward proactive cryptographic posture management and better “crypto hygiene”.

Below are the key insights from that conversation, explaining why proactive discovery, prioritization, and lifecycle management are essential for secure cryptographic practices.

Watch video on YouTube

From Static Lists to Proactive Cryptographic Discovery

A CBOM (Cryptographic Bill of Materials) is essentially a list of cryptographic components used in a product—like a recipe’s ingredients list. It describes what algorithms, libraries, or cryptographic elements are included.

However, CBOMs have a fundamental limitation: they rely on trust. Organizations must assume that the listed components are accurate and complete.

To address this limitation, organizations are increasingly adopting proactive cryptographic discovery, which involves scanning systems directly to detect the cryptography actually being used. This approach provides:

• Verification rather than trust
• Visibility into real cryptographic implementations
• The ability to detect hidden or undocumented components

In an ideal environment, companies would compare scan results against vendor-provided CBOMs to verify their accuracy. However, the CBOM concept is still evolving, and there is not yet a universally accepted standard for how it should be structured.

The Challenge of Cryptographic Noise

When organizations begin scanning their systems, they often encounter a new challenge: overwhelming volumes of results.

It’s common for discovery tools to produce hundreds of thousands—or even millions—of findings. Without a strategy to filter and prioritize them, the task becomes impossible for engineering teams.

To manage this complexity, organizations need a multi-dimensional prioritization approach, evaluating issues based on factors such as:

• Severity of the vulnerability
• Impact on the system or business
• External exposure (public-facing vs. internal systems)
• Deprecated algorithms or protocols

This prioritization allows teams to focus on the most critical weaknesses first instead of attempting to fix everything at once.

Identifying Weak Links in Cryptography

A key goal of cryptographic posture management is identifying and addressing the weakest links in the environment.

For example, teams should quickly flag and migrate away from deprecated algorithms such as:

• Triple DES
• DES
• SHA-1
• MD5

Replacing them with modern alternatives such as AES and SHA-2/SHA-3 significantly improves security.

Another common mistake occurs during protocol upgrades. For instance, an organization may add support for TLS 1.2 or TLS 1.3, but forget to remove TLS 1.0.

If legacy versions remain enabled, attackers can simply negotiate the weaker protocol and bypass the upgrade entirely.

CBOM vs. Internal Crypto Inventory

Although CBOMs and cryptographic inventories are related, they serve different purposes.

CBOM (External Transparency)

• Shareable with customers or partners
• Describes cryptographic components in a product
• Provides assurance that secure cryptography is used

Cryptographic Inventory (Internal Operations)

• Used internally for security management
• Identifies vulnerabilities, weak algorithms, and keys
• Contains sensitive information such as private keys that should never be shared

Organizations should use internal inventories to identify and fix problems before publishing a CBOM.

The Role of Crypto Agility and Lifecycle Management

Maintaining strong cryptographic security requires more than discovery—it also requires the ability to change cryptography quickly.

This is where several capabilities become essential:

• Cryptographic lifecycle management – discovering, identifying, and prioritizing cryptographic assets
• Certificate management – managing certificates across systems
• Crypto agility – the ability to quickly replace algorithms or libraries
• Key Management Systems (KMS) – securely managing cryptographic keys

Together, these capabilities support what Vladimir describes as “cryptographic hygiene”—the ongoing practice of keeping cryptographic systems secure, modern, and well-maintained.

Key Takeaways

• CBOMs provide transparency but rely on trust. They describe cryptographic components but don’t verify them.
• Proactive cryptographic discovery is essential. Scanning systems ensures you know what cryptography is actually in use.
• Prioritization is critical. Discovery tools may generate massive datasets that must be filtered by risk and impact.
• Deprecated algorithms must be removed. Weak cryptography like DES, MD5, or SHA-1 should be replaced with modern secure alternatives.
• Protocol upgrades must fully disable legacy versions. Leaving old versions enabled creates security gaps.
• Internal crypto inventories differ from CBOMs. Sensitive details like private keys should never be shared publicly.
• Crypto agility enables rapid response. Organizations must be able to quickly swap algorithms, libraries, rotate keys, and update certificates.
• Good “cryptographic hygiene” is the goal. Continuous discovery, management, and remediation keep systems secure over time.

Learn more

• #KEYMASTER: Understanding Cryptographic Posture Management and Asset Visibility
• Learn more about Cryptographic Posture Management
• Keyfactor: Bringing Together the Best in Cryptographic Discovery