On this page:
- Content matrix
- Resolved issues
- New features
- SEC-207 - Default security tiles have been renamed and now use different tags
- DASHBOARDS-559 - Education List now has its own sidebar menu access
- DASHBOARDS-589 - New Continuous Improvement tile
- DASHBOARDS-704 - New Continuous Improvement tab
- DASHBOARDS-470 - Advanced Search, implement clear all filter selection in one go
- DASHBOARDS-496 - Advanced search, ability to add items to Action Plan, Exclusion list and Education list
- DASHBOARDS-739 - Session timeout redesign
Content matrix
| Version | Summary of content |
|---|---|
| 1.8.0 |
|
Resolved issues
| Internal ID | Call ID | Situation |
|---|---|---|
| DASHBOARDS-564 | - | Dashboard truncates "Rational" text in the violation drill-down page. |
New features
SEC-207 - Default security tiles have been renamed and now use different tags
The default tiles CWE and OWASP have been renamed and now use different tags:
| Old Name | Old Tag | New Name | New Tag |
|---|---|---|---|
| CWE | CWE | CWE-Top25 | CWE-2011-Top25 |
| OWASP | OWASP | OWASP-2017 | OWASP-2017 |
These tiles display the number of Violations or Critical Violations in the Application for rules that have the selected tag (i.e CWE-2011-Top25 and OWASP-2017). Clicking on these tiles navigates to the Risk investigation view with the specific tag selected at the top of the table . "All Rules" will be selected in the Technical Criteria table and the list of rules displayed will all be tagged with the selected tag:
Click to enlarge
DASHBOARDS-559 - Education List now has its own sidebar menu access
The Education List has been separated out from the Action Plan and Exclusions tabs and now has its own sidebar menu access title Education and Continuous Improvement. The Action Plan and Exclusions lists remain in their existing locations:
| Education and Continuous Improvement | Monitor Actions and Exclusions |
|
|
In addition, the Active column has now been replaced with the Action column:
Click to enlarge
Previously the Active column described (via a simple Yes/No) whether the rule would be added to the Action Plan when the next snapshot is run. The behaviour in the new Action column is the same but the wording has been changed:
- Mark for continuous improvement - the violations associated to the rule will not be added to the Action Plan when the next snapshot is run
- Mark for action - the violations associated to the rule will be added to the Action Plan when the next snapshot is run
Finally, when adding violations to the Education list, the popup dialog that is displayed has an option that will force the associated violations to be added to the Action Plan. Previously this option was called Active on next snapshot and is now adrop down list with two options: Mark for Action and Mark for continuous improvement (the behaviour is the same):
Click to enlarge:
DASHBOARDS-589 - New Continuous Improvement tile
A new tile has been added to the dashboard home page:
This tile shows the following information:
- Removed Violations in the current snapshot
- Added Violations in the current snapshot
No data is shown when a previous snapshot is activated. Clicking the tile will take you direct to the new Improvement tab, which is part of Education and Continuous Improvement.
DASHBOARDS-704 - New Continuous Improvement tab
A new Improvement tab has been added to the new Education and Continuous Improvement option in the side bar menu:
What information does this tab provide?
This page allows you to view details/violations/statistics about the rules that have been selected for Education:
- All the rules marked for "Education" are listed in the upper right corner, with a selector for all the rules. Selecting or deselecting a rule will update the statistics and graphs. By default, the first rule in the upper right corner will always be selected when accessing the Improvement tab:
- Three violation status radio buttons listed in the bottom right corner - selecting a specific option will update the statistics and graphs about the rules that have been selected in the upper right corner:
- A graph depicting violations count in the y-axis and snapshots date in the x-axis together with a Violations improvement-summary on top of the Graph:
- Table showing a list of Violations in the current snapshot for all rules selected in the upper right corner:
When no rules have been added to the Education tab, the page will display:
When a previous snapshot is active, no data can be displayed in the Improvement tab and the following will be displayed:
Rules can be exported to Excel:
Violation statuses
Selecting one of the three Violation statuses will update the graphs as described below:
Added
On selection of the Added status, the graph will display the number of Violations added in the current snapshot and the number of Violations added since initial snapshot for a selected rule. Hovering the mouse pointer over the graph tool tip text displays added violations count, snapshot version and snapshot date for that particular snapshot in the x-axis:
Removed
On selection of the Removed status, the graph will display the number of Violations removed in the current snapshot and the number of Violations removed since initial snapshot for a selected rule. Hovering the mouse pointer over the graph tool tip text displays added violations count, snapshot version and snapshot date for that particular snapshot in the x-axis:
Total
On selection of the Total status , the graph will display the number of Violations in current snapshot, percentage (number) of violations that have Increased since initial snapshot and the percentage of violations that have Increased since previous snapshot for a selected rule. Hovering the mouse pointer over the graph tool tip text displays added violations count, snapshot version and snapshot date for that particular snapshot in the x-axis:
DASHBOARDS-470 - Advanced Search, implement clear all filter selection in one go
When using the Advanced Search feature, it is now possible to clear any selections that have been made in the list of results, in one go. Use the Clear Selection option in the option menu - all selections that have already been made (ticks in the check boxes) will be cleared:
DASHBOARDS-496 - Advanced search, ability to add items to Action Plan, Exclusion list and Education list
It is now possible to add items to the Action Plan, Exclusion list and Education list from the Advanced search results page, depending on the roles that the current user has been granted (i.e. if you do not have the appropriate role, you cannot add the item to the list):
Click to enlarge:
Note that when a user has all available roles, the drop down options will be enabled as below:
- Selector will be disabled if a Rule is added to Educate and violations (belonging to the rule) are added either to Action Plan or Exclusion:
- Selector will be enabled when violation/rule is added only to Action plan/Exclusion/Educate. But respective drop-down option will be disabled:
DASHBOARDS-739 - Session timeout redesign
In order to comply with security standards, the way the dashboards handle session timeout has been re-designed. Users will now be notified when the dashboard detects a session timeout (i.e. there is no GET or POST activity) with an opportunity to continue the session (if within the timeout period) or log back in (if the timeout period has expired) to the system. The implementation is supported for all possible authentication modes: Default, LDAP and SAML.
On timeout, the following dialog box will be displayed - this indicates (in the upper right corner) how many seconds are remaining before a re-login will be required - the default remaining seconds is set to 10. Clicking Continue will return to the session without requiring a login:
Click to enlarge
If the Time left gets to 0, then the Continue button will be disabled and the re-login button will be activated. Clicking Re-login will return the user to the login screen where authentication is required to continue the session:
Click to enlarge
You can modify the remaining seconds before a login is required by editing the following files:
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json
Add the following line in the "configuration" parentheses, where xx = the number of seconds you want to define before a login is required:
"alertTimeoutInterval":xx,
For example, 30 seconds has been defined:
"configuration": {
"defaultLanguage": "English",
"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
"customLanguages": [],
"requestAccess": false,
"confirmLogout": true,
"violationsCount" : 5000,
"alertTimeoutInterval":30,
