Coverage
PCI DSS 12.3.3 asks for a documented, annually-reviewed inventory of the cipher suites and protocols in use across your environment. That inventory spans both what you wrote and what you run. CipherM looks at source code, configuration files, and live TLS endpoints together — so a finding in one place can be traced to its cause in another.
The three surfaces
Hard-coded algorithms, key sizes, deprecated library calls, custom crypto and the dependencies that ship cipher implementations into your build.
java.security, openssl.cnf, web-server and load-balancer config, cipher-suite allow-lists and protocol floors — the settings that decide what is actually permitted at runtime.
What your servers and services negotiate in production: the suites and protocol versions they actually accept, plus certificate signature algorithms and key lengths.
Why partial coverage fails
A network scanner sees what your endpoints negotiate but never opens your code or configs. A source-only OSS tool reads your repo but never connects to a running service. Either way, the 12.3.3 inventory has a hole in it — and that hole is where the QSA finding lands.
| Surface | CipherMsource + config + live TLS | Network-only scannerslive TLS only | Source-only OSS toolsrepo grep only |
|---|---|---|---|
| Source code (libraries, hard-coded algorithms, key sizes) | Covered | — Missed | Covered |
| Configuration files (java.security, openssl.cnf, nginx/Apache) | Covered | — Missed | Partial |
| Live TLS endpoints (negotiated suites, protocol versions) | Covered | Covered | — Missed |
| Certificates (signature algorithm, key length, expiry) | Covered | Covered | — Missed |
| Mapping a runtime finding back to the file that caused it | Covered | — Missed | Partial |
Categories above describe the general classes of tooling, not any specific named product. Your own environment may differ — a Rapid Assessment confirms exactly what each tool in your stack does and does not see.
Scope
01
An endpoint accepting a weak protocol is an immediate, in-scope finding. But the negotiated suite alone doesn't tell you where to fix it.
02
The deprecated default lives in a config file or a dependency. Without reading those, you can patch the symptom and leave the root cause to resurface on the next deploy.
03
12.3.3 expects one inventory you can defend. When runtime, config and code are scanned together, every entry traces from what a service negotiates back to the line that set it.
A Rapid Assessment reconciles all three surfaces — source code, configuration, and live TLS — into the single cryptographic inventory 12.3.3 asks you to keep. Want a taste first? Run the free scan to check the live-TLS half of that picture in seconds.