Summary: This page describes the new features and bugs that have been fixed in the CAST Security Dashboard 1.11.0.

Content matrix

VersionSummary of content
1.11.0
  • RestAPI APIKEY for SAML bypass

  • Parameter details now displayed for parameterized rules.
  • Ability to add custom report categories
  • New CODE_RESTRICTED role
  • Background facts tiles

New features 

RestAPI APIKey for SAML authentication

If you have enabled SAML authentication mode for your CAST Security Dashboard/RestAPI deployment, some clients applications may not be able to authenticate. This is because SAML is designed as a single sign-on mode for browsers and therefore non-browser clients cannot use the protocol. In order to resolve this issue, CAST provides the ability to define an API Key in the CAST Security Dashboard/RestAPI that can be used to bypass SAML authentication.

How does this work?

  • SAML authentication mode is enabled and configured for your CAST Security Dashboard/RestAPI deployment
  • In addition, an API Key is defined in the security.properties file in your CAST Security Dashboard/RestAPI deployment
  • The API Key is used instead of a password to authenticate
  • Clients must use two specific HTTP headers to ensure that the API Key is used
    • X-API-KEY: the API Key matching the key defined in the security.properties file
    • X-API-USER: a defined user name to obtain a CAST Security Dashboard/RestAPI role and data authorization
  • When an API Key is used to bypass SAML mode, the user will be automatically granted the "ADMIN" role even if this role has not explicitly been granted to the user in question.

You can find out more about this in RestAPI authentication using an API key.

GUI updates for Quality Standards and custom tags

It is now possible to:

  • add one or more custom tiles to the dashboard that will display the number of violations (critical/non-critical violations according to the filter enabled) under a specific Quality Standards tag or custom tag manually injected)
  • configure a list of tags (Quality Standards tag or custom tag manually injected) that can be displayed in a drop down filter in the Risk Investigation view.

Both features can be added together or separately.

If configuring Quality Standards tags, the extension Quality Standards Mapping must be installed prior to generating the snapshot, otherwise no tag data is available and neither feature will return any results.

Custom tiles

To create a custom tile, modify (using a text editor - Notepad or other similar application) the following file that is part of your deployed dashboard and add a tile or tiles using the configuration shown below in the profiles > areas > panels section alongside other tiles:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json

Configuration

  • type: tile type has to be SecurityTile
  • parameters:
    • business: must always specify the metric 60016
    • rule: the Quality Standards or custom tag you wish to view
    • title: Title of the tile
    • id: the Quality Standards or custom tag you wish to view
    • description: a free text field to describe what the tile shows (not shown in the dashboard)
  • color: tile color
  • other parameters for sizing and positioning of the tile - see Tile Sizing and Positioning

Example

This example will display a tile showing the number of violations tagged with a custom injected tag called CUSTOM-TAG:

{
	"type": "SecurityTile",
	"parameters": {
		"business": "60016",
        "rule": "CUSTOM-TAG",
		"title": "My Top PRIORITY",
		"id": "CUSTOM-TAG",
		"description": "violations"
	},
	"color": "blue",
	"col": 1,
	"row": 12,
	"sizex": 1,
	"sizey": 1,
	"max-sizex": 2,
	"max-sizey": 1
}

Drill down behaviour

Clicking on any of these tiles navigates to the Risk investigation view with the specific tag selected in a drop down at the top of the table - therefore filtering and displaying only rules that have this tag. "All Rules" will be selected in the Technical Criteria table by default and the list of rules displayed in the right hand panel are those that correspond to the selected tag:

Click to enlarge

List of tags

To configure a list of tags that can be displayed in a drop down filter in the Risk Investigation view, modify (using a text editor - Notepad or other similar application) the following file that is part of your deployed dashboard:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json

Add the feature in the "configuration": { section at the start of the file:

"ruleTag": ["tag","tag"],

For example, the following configuration adds two tags (MY-CUSTOM and MY-CUSTOM2):

{
	"description": "used as a placeholder for as much as possible relevant default application parameters, please do not edit manually",
	"configuration": {
		"defaultLanguage": "English",
		"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
		"customLanguages": [],
		"requestAccess": false,
		"confirmLogout": true,
		"filterHealthFactor": true,
		"violationsCount": 5000,
		"ruleTag": ["MY-CUSTOM", "MY-CUSTOM2"],

E.g (click to enlarge)

Note that when drilling down from the Risk Investigation tile, the drop down tag list is not displayed when a Health Measure is selected, instead, you will need to select a child Technical Criteria or the All Rules option.

Injecting custom tags

If you need to use custom tags in the GUI features described above, you can manually inject them using CURL. For example:

curl -X PUT --header "Content-type: text/csv" --upload-file data.csv http://server:port/CAST-Security/rest/{Domain}/custom-quality-tags

Where data.csv contains the custom tags you wish to inject, using a rule ID and custom tag pair on each line as follows:

3626;CUSTOM-TOP-PRIORITY-RULES

See also: Health Results Resources - 1.11.x.

Easy method for locating violations added to Action Plan or Exclusions list

The icons displayed in the violation lists in the Application Investigation, Risk Investigation and Transaction Investigation views to depict violations that have been added to the Action Plan or Exclusion list are now clickable. Clicking the icons will take you direct to the Action Plan/Exclusion List and highlight the violation.

Following icons are now clickable:

Highlighted violation on clicking an icon:

Ability to view parameter names and values for parameterized rules

After selecting any "parameterized" rules (only legacy rules), it is now possible to see the Parameter Details section under the "Violation Details" section. The Parameter  Details section displays Parameter Name along with the values of the Parameter Details. 

Ability to add a Custom Report category

It is now possible to add your own Custom Report category, alongside the existing default "Custom Report" category. This custom category can then be populated with custom reports in exactly the same way as the default "Custom Reports" category. See Security Dashboard - Report Generation configuration for more information.

Improvement to Show More button

The behaviour of the Show More button has been improved in this release. Now when choosing to show additional violations using the +10, +100 or All options, the list of violations will anchor to the next set of violations instead of resetting and anchoring to the start of the list. The Show More button is available in various pages throughout the dashboard:

Basic Search results now exclude critical rules when "Only critical violations" filter is active

The Basic Search will now exclude rules flagged as critical from the search results when the Only critical violations filter is active. When searching for a non-critical rule and the Only critical violations filter is active, a message will be displayed stating No results were found to match your search. In previous releases, non-critical rules were included in the search results even when the Only critical violations filter was active.

Basic Search and Only critical violations filter are located in the top menu bar: 

Background Facts tiles

It is now possible to configure a tile to display Background Facts that you have manually configured and uploaded during the snapshot generation (see Background Facts and Business Value Metric upload). The tile can display information about one metric that you have defined in the uploaded Background Facts file. See Engineering Dashboard tile management for more information about configuring the tile.

New CODE_RESTRICTED role

A new role has been implemented in this release: CODE_RESTRICTED. This role can be granted to users who do not have the right to view source code in the Security Dashboard. For example:

  • when drilling down in the Risk Investigation view
  • when drilling down in the Action Plan and Exclusion lists
  • when clicking More Violation Paths for security based rules

To enable the role, see User roles. When enabled, a message is displayed in the Dashboard as follows:

Click to enlarge:

Advanced Search - Transactions ordered by TRI value and ability to filter on Business Risk driver

The Advanced Search for Transactions has been modified:

  • Transactions are now ordered by risk level (i.e. the Transaction Risk Index (TRI) value: TRI is an indicator of the riskiest transactions of the application. The TRI number reflects the cumulative risk of the transaction based on the risk in the individual objects contributing to the transaction. The TRI is calculated as a function of the rules violated, their weight/criticality, and the frequency of the violation across all objects in the path of the transaction. TRI is a powerful metric to identify, prioritize and ultimately remediate riskiest transactions and their objects.)
  • It is possible to filter based on a Business Risk driver such as Efficiency, Robustness, Security or None

Add custom filters to Action Plan based on 'Comment', 'Priority' and 'Status' columns

In the Action Plan list it is now possible to filter the table by Priority, Status and Comment columns. The count for 'added', 'pending' and 'solved' will therefore adjust depending on the selected filter. Filter icons are now added to the column headings:

When the filter headings are clicked, a drop-list will be displayed offering various options as follows:

  • Priority - available options are the same as those provided when adding a violation to the Action Plan, with the addition of All tags. These tags are defined in the ced.json file under the "tag" item - see Engineering Dashboard json configuration options.
    • low
    • moderate
    • high
    • extreme
    • All tags

  • Status - options are set by default and cannot be edited: added, pending, solved.

  • Comment - type in the "SEARCH ON COMMENTS" box on the right hand side .  When there is no match found for desired search it will show "No Violations found".

Export rule details to XLSX file from Application Investigation view

It is now possible to export rule details to an Excel compatible XLSX file from the Application Investigation view:

The resulting XLSX file will contain the following details: