Name of Your Organization:
CAST Software
Web Site:
http://www.castsoftware.com/
Compatible Capability:
CAST Application Intelligence Platform (CAST AIP)
Capability home page:
http://www.castsoftware.com/products/application-intelligence-platform
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
CAST Application Intelligence Platform (AIP) is an enterprise-grade software quality analysis and measurement solution designed to analyze multi-tiered, multi-technology applications for technical vulnerabilities and adherence to architectural and coding standards. The intelligence generated by CAST AIP has many uses:
- Provides a bottom-up view of technical debt and imparting software engineering advice to the application development teams supporting these complex systems.
- Insight into risks associated with upgrade of software packages,
ability to automatically document complex, legacy systems.
- Provides real-time information needed to improve application health and development team performance
The below screenshot represents the measured value of the various health factors for a given application. These values (or grades) are calculated based on the underlying Quality rules which also cover the CWE requirements.
More details of the Application Analytics Dashboard are available in the online product documentation at:
http://doc.castsoftware.com/help/topic/73x/CAST-Product-Documentation---7.3_568426664.html
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
CAST AIP platform validates the candidate applications/technologies against the fulfillment of CWE requirements.
For example – Within the CAST AIP platform, we can check if the analyzed Application / project contains specific frameworks either related to data input from the user or related to the target methods. Target methods are the methods that will be attacked by hackers looking to exploit.
As mentioned by the Common Weakness Enumeration (CWE), SANS Institute and OWASP, Improper Input Validation is the top group of web programming errors that can lead to security vulnerabilities.
Improper Input Validation is defined by the CWE follows:
"When software fails to validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution."
The User Input Security feature in the CAST Management Studio enables users to detect improper user input validation in the application's source code, which can lead to the following security vulnerabilities:
- SQL Injection (CWE-89)
- Cross-Site Scripting (CWE-79)
- LDAP Injection (CWE-90)
- OS Command Injection (CWE-78)
- XPath Injection (CWE-91)
- Path Manipulation (CWE-99)
Once the source code analysis is complete, the results (i.e., the security vulnerabilities) can be viewed in the CAST Dashboard as standard Quality Rules. As dataflow-based Quality Rules, the flow of the user input can be tracked in the CAST Dashboard with bookmarked source code.
To enable User Input Security checks in your application analysis using the CAST Management Studio, it is necessary to activate the feature by adding a specific technology configuration within the User Input Security tab in the Application editor as shown below:
Example 1:
Example 2:
For more details on how this is implemented, please refer to product documentation at:
http://doc.castsoftware.com/help/index.jsp?topic=%2F73x%2FUser-Input-Security---Internals_568426779.html
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
For each new major release (not necessary in the Service Packs), we will schedule an update to our CWE content to keep it in sync with the current CWE requirements. The major releases are out every 9-12 months. At the same time we will continue to enhance our support for the CWE requirements.
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
The customers will be informed about the updates on the CWE support as part of the product roadmap presentation prior to the actual release. Once the release is GA, the CWE support updates will be reflected in the
"Release Notes" section and the "Security Standards Compliance" section of the online product documentation.
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
The product website provides information about CAST AIP CWE support and CWE Compatibility at the following URL:
http://www.castsoftware.com/solutions/application-security/CWE
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
The CAST Engineering Dashboard provides a wide range of different views.
Example: The below screenshot shows the available views to explore the different Areas w.r.t the application under measurement.
Each view presents different level of information. The Investigation view and Quality Model drill down views will provide the required details on the Quality rules (includes Security rules defined by CWE.
For details on how to access the security elements required, please refer to the following URL from the online product documentation:
http://doc.castsoftware.com/display/DOC73/Using+the+CAST+Engineering+Dashboard
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
The CAST Dashboard has a built in feature in several views that provides access to a unified
"Violation viewer" which provides:
- information about the status of a violation (new/old or otherwise) and for a Health Factor, the PRI (Propagated Risk Index), VI (Violation index) and RPF (Risk Propagation Factor) values in an expandable section
- a full description of the Quality Rule that has been violated in an expandable section
- a full description of the object that has violated the Quality Rule in an expandable section
- the code (where available) of the object that has violated the Quality Rule
- violation bookmarks (i.e. ,multiple violations of a Quality Rule occurring in one piece of code) where applicable
Example: The screenshot below provides detailed information about a specific violation/rule (CWE-89)when browsed using Violation Viewer.
For more details on this topic, please access the following online product documentation URL:
http://doc.castsoftware.com/help/topic/73x/Violation-Viewer_568427016.html
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
The CWE elements and their mapping with CAST Quality rules are posted at the following URL on the CAST website:
http://www.castsoftware.com/solutions/application-security/CWE
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
After the product analyzes the application, it will identify all the Security violations in the code. The end user can launch the Application Analytics Dashboard to view all the Quality rules which are violated under the Security business Criteria.
To view all the rules enabled/configured by the CAST platform, user can open the Assessment model from the CAST Management Studio or the legacy ADG tool.
Example: Below screenshot from CAST ADG lists few top security requirements listed by various security standards/organizations including OWASP, CWE, PCI and CISQ
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
CAST AIP includes a separate tool called Report Generator will includes various report templates. There is one template designed to provide the details around Security compliance check (includes check for CWE).
Screenshot of table from a Security Report for a sample application:
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
The CAST Engineering Dashboard presents various views. Each view provides Different set of information.
Example to list by all Security rules, we can use the following view. This will also list all the CWE rules.
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE Identifiers that the owner claims the tool is effective at locating in software (recommended):
The supported rules are available in the Assessment model. The Assessment model, can be viewed from the CAST Management Studio.
Example: The screenshot below displays the Assessment model of CAST AIP 8.0, which is opened from the CAST Management Studio. We can search the keyword
"CWE" and all the rules related to CWE support are displayed.
For details on how to access the Assessment model for checking or configuring the rules, please refer to the following doc location:
http://doc.castsoftware.com/help/topic/73x/Assessment-Model-configuration-access_568426843.html?resultof=%22%61%73%73%65%73%73%6d%65%6e%74%22%20%22%61%73%73%65%73%73%22%20%22%6d%6f%64%65%6c%22%20
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):
The source code violating the CWE rules will be recorded and displayed on the Dashboard. The end user can drill down from the CWE rules to the specific objects violated in the source code on the CAST Application Engineering Dashboard.
Refer to the following URL for details:
http://www.castsoftware.com/solutions/application-security/CWE
SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):
The user can browse through the online product documentation to get the list of supported CWE identifiers.
Refer to the following URL for details:
http://www.castsoftware.com/solutions/application-security/CWE
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS <CR_A.2.8>
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers (recommended):
The CAST AIP product allows to configure/disable any Quality rules before running the static code analysis. So the rules corresponding to the CWE requirements can be configured or disabled depending on user's preference. This can be configured in the Assessment model within the CAST Management Studio. Please refer to the answer
<CR_A.2.4>.
NON-SUPPORT NOTIFICATION FOR A REQUESTED CWE IDENTIFIER <CR_A.2.9>
Provide a description of how the tool notifies the user that a task associated with a selected CWE Identifier cannot be performed (recommended):
The CAST AIP product will enforce static code analysis of the candidate application against all the supported CWE related Quality rules. The CWE rules violated by the application will be reflected in the CAST Application Engineering Dashboard.
Service Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.3.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
The CAST AIP product is a static code analysis platform which allows the end Users to deliver any piece of software source code which they intend to scan/analyze for structural quality. The product embeds a set of Quality rules for every technology. The Quality rules corresponding to CWE requirements are also validated by the platform. The results of the validation are stored in the product repository (knowledge base and central base).
All the quality rules are mapped to 5 high level business criteria's such as Security, Performance, Robustness, Transferability and Changeability. The Quality rules corresponding to CWE rules are covered under the Security business criteria.
There are mainly two dashboards available to present the results of the static code analysis.
- Application Analytics Dashboard – This dashboard gives a portfolio view of the applications. Presents grades by business criteria for each Application analyzed to indicate the quality of the application. Dashboard displays the various violations identified by the analyzer by each Quality rule. This is more useful for CIO, CTOs, VPs, Project Managers to get a global view of the various applications in the Portfolio.
- CAST Engineering Dashboard – This dashboard gives more engineering related drill down information of each violation to see details of the objects violated. The Quality rules violated are mapped to CWE rules if applicable.
a. This dashboard is used by mainly developers, project manager's quality engineers to understand the flaws in the code and fix the same if appropriate.
Example of CAST Engineering Dashboard below:
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.3.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
The end user can reference the CAST AIP website and product documentation (Refer to this URL:
http://www.castsoftware.com/solutions/application-security/CWE) to understand the association between CWE identifiers and their corresponding CAST AIP Quality rules.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
The end user can obtain the full listing of the supported CWE Identifiers in the CAST AIP product website at URL:
http://www.castsoftware.com/solutions/application-security/CWE
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.3.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the service is effective at locating in software (recommended):
The end user can obtain the full listing of the supported CWE Identifiers in the CAST AIP product website at URL:
http://www.castsoftware.com/solutions/application-security/CWE
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.3.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool’s tasks (recommended):
The CAST Application Intelligence Platform version 7.3.0 allows users to have direct access to the Security Quality rules (which include the CWE related rules).
Online Capability Questions
FINDING ONLINE CAPABILITY TASKS USING CWE IDENTIFIERS <CR_A.4.1>
Give detailed examples and explanations of how a "find" or
"search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):
The document is available only in html format included in the online product documentation. The CWE-related information can be searched using the online search facility in the product documentation.
Examples of few CWE-IDs/requirements/mitigation/mapping with CAST AIP extracted from the online CAST AIP documentation:
ONLINE CAPABILITY INTERFACE TEMPLATE USAGE <CR_A.4.1.1>
Provide a detailed description of how someone can use your
"URL template" to interface to your capability’s search function (recommended):
Examples: You can directly access the information about association of CAST AIP Quality rules and CWE requirements in the online product website page below:
http://www.castsoftware.com/solutions/application-security/CWE
ONLINE CAPABILITY CGI GET METHOD SUPPORT <CR_A.4.1.2>
If the URL template is for a CGI program, does it support the HTTP
"GET" method? (recommended):
N/A
FINDING CWE IDENTIFIERS USING ONLINE CAPABILITY ELEMENTS <CR_A.4.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CWE Identifiers for the individual security elements in the report (required):
The end user can directly reference link to the online product website page URL:
http://www.castsoftware.com/solutions/application-security/CWE in their reports to reference the mapping between CWE requirements and CAST AIP Quality rules.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.4.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE Identifiers that the owner claims the online capability’s repository covers (required):
CAST AIP product repository covers/supports the CWE rules listed on the online product website link:
http://www.castsoftware.com/solutions/application-security/CWE
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.4.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE Identifiers that the owner claims the online capability’s repository covers (recommended):
Please refer to the CAST AIP online product website for details:
http://www.castsoftware.com/solutions/application-security/CWE
ONLINE CAPABILITY ELEMENT TO CWE IDENTIFIER MAPPING <CR_A.4.5>
If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CWE Identifier(s), otherwise enter N/A (required):
N/A
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
The CWE-related information is available in the html format in the online product documentation. There is a search option to allow text search. The CWE elements or text can be search using this facility.
http://www.castsoftware.com/solutions/application-security/CWE
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element
(required):
The individual CWE Identifiers are listed in the product website at:
http://www.castsoftware.com/solutions/application-security/CWE
ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>
Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CWE identifier(s)
(recommended):
The mapping between the CAST AIP quality rules to the respective CWE Identifiers, is available online under CAST AIP product website at:
http://www.castsoftware.com/solutions/application-security/CWE
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
The end user can go to the public online documentation page at:
http://doc.castsoftware.com/help/index.jsp
In the search field, the user can directly enter the CWE requirement ID and launch search. The search will display the link to the page which displays the CWE requirements mapping with the CAST AIP rules. The same information is available on this page:
http://www.castsoftware.com/solutions/application-security/CWE
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
The CWE requirements are mapped to the corresponding CAST AIP Quality rules.
For example the table below shows the mapping for CWE-89 requirement.
GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>
Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):
The document is available only in html format included in the online Product documentation. The CWE-related information can be searched using the online search facility in the product documentation. Please find help files in .chm format for the various versions of the Quality models (includes CWE rules) supported so far.
http://doc.castsoftware.com/display/DOC73/Metrics+and+Quality+Rules+Documentation
These details are updated/maintained by the Product team.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Jayesh Golatkar
Title: Product Manager
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Jayesh Golatkar
Title: Product Manager
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Jayesh Golatkar
Title: Product Manager
More information is available — Please edit the custom filter or select a different filter.
|