Security Dashboard - Risk Investigation

Risk Investigation view

Accessible from the sidebar menu or by clicking the Risk Model tile, this view enables investigation of the application risk from the Assessment Model perspective - moving through Health Measures/Business Criteria, Technical Criteria, Rules/Measures/Distributions right down to the objects in violation.

By default, only Business Criteria that are categorised as Health Measures will be displayed in the dashboard. All other Business Criteria that are NOT Health Measures will not be displayed. You can override this behaviour, to display ALL top-level Business Criteria if required - see Engineering Dashboard json configuration options from the CAST AIP documentation.

Data is presented in a series of tables on the left and right hand side of the page enabling you to drill down from a Health Measure to an individual object that is in violation. Take for example the top level list of Health Measures:

Selecting a Health Measure in this table will display all of the contributing Technical Criteria in the right hand section:

When a Health Measure is selected, the first row in the Technical Criteria list will be titled "All Rules...". Selecting this item will display a list of all the Rules that contribute to the selected Health Measure:

Selecting a Technical Criteria will move the Technical Criteria to the left hand side of the page and display all of the contributing Rules in the right hand section:

Selecting a contributing Rule will move the item to the left hand side of the page and display details about it (including the list of objects in violation, computing details, and rule/distribution/measure documentation) in the right hand section:

Note that when there are many violations to display, a "Show More" button will be available:

By default, only 10 violations are displayed to improve performance. You can choose to display more using the various options (+10, +100 etc.). By default an upper maximum of 5000 violations is set when the "All" option is clicked. You can change the upper maximum if required (see the violationsCount option in Dashboard wide configuration options in json from the CAST AIP documentation).

Finally, depending on the item (Rule, Distribution, Measure), you can do as follows:

Technical Debt Tile

You may create Technical Debt tile, to display Total Added and Removed OMG Tech Debt, and the total number of days.

Tile can be configured as below in ed.json file (formerly ced.json).

{
                       "type":"OMGTechnicalDebt",
                       "parameters":{
                          "business":"1062100"
                       },
                       "color":"pale-blue",
                       "col":6,
                       "row":1,
                       "sizex":2,
                       "sizey":1,
                       "min-sizex":1,
                       "min-sizey":1,
                       "max-sizey":1,
                       "max-sizex":2
                    }

Click on the AUTOMATED TECHNICAL DEBT tile. It will drill down to risk investigation page with CISQ assessment model selected, also the view will be selected as "Technical Debt (OMG)", as shown in the below screen.

You can switch to the CISQ Assessment Model violation view from the drop-down list.

In Rules Details, "Technical Debt (OMG)" section is added (as shown in the below screen), which shows the details about rules (Total, Added, Removed, and number of occurrences).

In the source code view, a new section list is added with icons on left, which represents the sections "Source Code" and "Technical Debt (OMG)" respectively. Clicking on the "Technical Debt (OMG)" icon, the scroll focus will be in the "Technical Debt (OMG)" section, where the object level details of Adjustment Factor, UNADJUSTED EFFORT (IN MINS) and ADJUSTED EFFORTS (IN MINS) are displayed.

Rule

For a Rule the following sections are available:

Violations

Expand the list of Violations

...to view the objects violating the selected Rule:

Header icons

The following icons will be available:

Educate	Click this icon to add the associated Rule to the Security Dashboard - Education list.
Download	Click this icon to export the list of violations to Excel.

Source code

Note that Source Code is not available when viewing data from a previous snapshot.

Select an object in the list of violations to view its source code. In order to focus investigation, source code displayed presents either:

the object in violation
or the violation details when available (e.g. bookmarks, paths).

Whenever a piece of code is made available, the View File button (seen in the example below) provides the ability to open the entire source code file to get the entire context. The file is opened in a separate browser window. The entire source code is presented plus some context (application name, snapshot reference, file name).

The Rule name is also highlighted using colour (yellow for a standard Rule (as shown below), and red for critical):

Please note that in the current release of CAST AIP, the display of source code is limited in functionality:

The source code does not currently show all violations for Rules that reference User Input Security elements, such as:
- The Rule "Avoid direct or indirect remote calls inside a loop"

Parameter values for last snapshots and when there are no violations

Clicking on Rule displays Parameter details section (along with other sections violations, computing details & Rule documentation) in the Risk Investigation view. This section displays the parameter name, technology, and value for the selected rule.

Parameter details will be displayed for the current snapshot as well as for the previous snapshot if the rule is "parameterized". The parameter detail section also displays the data for a selected rule when no violations exist. This section displays a message "No parameter details available" if the selected rule does not have parameter details:

When a Rule involves "cyclical calls" such as the rule "Avoid cyclical calls and inheritances between packages", then the source code display is altered slightly as follows. A cyclical call means two packages refer to each other through a call and therefore, the result of this could be a circular dependency. So in this case, the dashboard does not show the detailed source code but the list of packages involved so that we can show where these cyclical calls are located.

If a "copy/pasted" Rule has been selected (for example Avoid Too Many Copy/Pasted Artifacts), a list of objects that have a high level of similarity with the selected objects will be listed:

After clicking on the object in the Violation details table, a separate page will be opened to show the comparable code fragments (see image below - click to enlarge):

A tab will open split into two areas (left/right) to display selected component source code and master source code (on left by default)
Component Selector exists in two areas so that you can change the component source code display by selecting the item
File selector is under component selector (with black background) so that you can see the component source code located in each file

Bookmarks

When results include violation bookmarks in the source code, the dashboard can access more details about the actual defects in the object for the current Rule. The violation bookmarks are displayed per defects found; the display follows the same pattern as the object source code viewer: each code fragment is associated to its related file and the violation bookmark is highlighted using colour (yellow for a standard Rule, red for critical (as shown below). Multiple bookmarks may be associated to a single defect (as shown below):

A More defects button will appear when there are more than five defects in the object for the current Rule:

If a defect contains multiple bookmarks, then the Primary/Secondary bookmark will appear to show the main bookmark and additional bookmarks as shown below. The display follows the same pattern as the object source code viewer, except that the secondary bookmark will be highlighted as blue:

A More bookmarks button will appear when there are more than five bookmarks in one defect for the current Rule. The color depends on whether the Rule is critical (red) or not (yellow). If you click "View File" button, the lines numbers are highlighted:

OWASP bookmark display

Bookmarks for defects in source code violating OWASP Rules (such as Avoid SQL injection vulnerabilities ( CWE-89 ) ) are displayed slightly differently to help you follow the violation trail within the Application:

Call label: this label will be displayed when the object inside the source code calls another object or method
Return label: this label will be displayed when the object inside the source code returns to the upper level

You can use the "eye" icon to the right of the list to view the source code file in which the bookmark is located:

Violation details

The Violation details section underneath the Source Code display shows the Violation Name along with the values of the Violation Details (i.e the "Associated Values"):

If the Rule does not have any violation details, the message "No violation details for this Rule" will be displayed instead.

Why is that an issue?

You can use the Why is that an issue? option underneath the Source Code display to view the Rationale section of the Rule that has been violated. Clicking the Learn More button will take you directly to a full description of the violated Rule:

Computing Details

This section displays:

the Total checks value which indicates the total number of objects in the Application that were checked against the current Rule.
the number of modules in which the current Rule has been checked during the snapshot generation (3 out of 7 in the example below)
the % compliance of the Rule. In the example below, the current Rule has a compliance of 18.29% - in other words 18.29% of the objects checked against this Rule were found to have no violations (the higher the number, the better compliance).

Expanding the section (using the black arrow as explained above for the Violation list) will provide more detail. In the example below, we can see that:
- three modules contain objects that were checked against the current Rule. A compliance % is provided for each module along with the number of objects violating the current Rule and the total number of objects in the module that were checked against the current Rule.
- the compliance of 18.29% for the Total is the compliance percentage for all modules in the Application against the current Rule.

Column	Explanation
Module	Shows the name of each module that has objects as defined during the snapshot configuration and generation.
Total Check	The total number of objects in the module that were checked against the current Rule.
Viol.	The number of objects in the module violating the current Rule.
Compliance	The compliance rate for the module - i.e. the percentage of objects in the module that are compliant with the Rule.

Note that the row containing the module name "Total" contains cumulative data for all modules displayed in the section.

Rule Documentation

Expand the Rule documentation section (using the black arrow as explained above for the Violation list) to view a detailed description of the current Rule:

If there are no Tags associated with the Rule, there will a "No Tag" message in the "Tags" section:

Accessing an object in the Application Investigation view

Clicking the following icon will take you directly to the object in the Application Investigation view:

Distribution

For a Distribution, you can view how objects in the current Application are distributed: objects are placed into categories depending on the criteria of the Distribution itself. Sections indicate which category the objects fall into: Low/Small (Green), Average, High/Large and Very High/Very Large (Red). A Status column displays the status of the object between the current and previous snapshot (unchanged, added, deleted etc.). So to take the example of the Size Distribution distribution:

View a detailed description of the current Distribution:

Measure

Quality Measures are listed in the Security Dashboard, however, since Measures are never "violated" in the same way a Rule is violated, little information can be displayed other than the documentation:

Table key

All tables that display data in the Risk Investigation mode contain various columns. The table below lists all possible column names and provides an explanation for each:

Health Measure

Column	Explanation
	Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
	Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
#Critical / #Violations	Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.
Previous	Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.
Health Measure	Name of the Health Measure

Technical Criterion

Column	Explanation
	Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
	Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
#Critical / #Violations	Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.
Previous	Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.
Technical Criterion	Name of the Technical Criterion.
Weight	Displays the weight of the Technical Criterion in its parent Health Measure. The higher the value, the more weight the item carries.

Rules, Distributions and Measures

Column	Explanation
	Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
	Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
#Critical / #Violations	Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.
Evolution	Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.
Rules...	Name of the Rule/Distribution/Measure.
Weight	Displays the weight of the Rule/Distribution/Measure in its parent Technical Criterion. The higher the value, the more weight the item carries.
Critical Rule	A red dot in this column indicates that the Rule has been set as critical in the Assessment Model.

Violation

Column

Explanation

Option to add/remove the violation from the Action Plan or the Scheduled Exclusion List (see Security Dashboard - Action Plan for more information). Note that to interact with the Action Plan/Scheduled List, your user login must have the role QUALITY_MANAGER/EXCLUSION_MANAGER roles. These can be assigned at user level (when using Default Authentication mode) or via user or group (when using Standard LDAP authentication). Please see User authentication for more information.

Action / Exclusions

Indicates whether the violation has been added to the Action Plan or the Scheduled Exclusion List (see Security Dashboard - Action Plan for more information):

	Item has been added to the Action Plan.
	Item has been added to the Scheduled Exclusion List.

Object Name Location

Displays the object name, and in the case of file based objects (as oppose to Database objects), the location on disk of the object.

When there are many violations, search button helps to search for a specific violation (based on the object name location field).

Risk

This value was previously known as Propagated Risk Index (PRI): it identifies the violations that can impact the largest number of components, involving objects with the largest number of violations pertaining to the Health Measure involved. The formula used to calculate this value is as follows:

PRI = (RPF + 1) x VI

Where RPF and VI equal:

RPF

Risk Propagation Factor (RPF): identifies violations that can impact the largest number of components in the Application. The impact area is computed as follows:

Risk Propagation Factor for a Robustness, Performance, or Security Violation is the size of its call path
Risk Propagation Factor for a Changeability Violation is its Fan-In
Risk Propagation Factor for a Transferability Violation is zero (0).

VI

Violation Index (VI): identifies objects with the largest number of violations, taking into account the weight of the Rules and of the Technical Criteria, for the Health Measure involved. The formula used to calculate this value is as follows

For each object, identify Rules it violates that contribute to a given Health Measure through Technical Criteria. Multiply aggregate weight of the Rule within the Technical Criterion by the aggregate weight of the Technical Criterion within the Health Factor. In other words:

VI = Sum_of_all_rules_violated_by_the_object (Quality_rule_weight * technical_criteria_weight)

Status

Displays the status of the object in comparison to the previous snapshot - e.g.:

Added
Updated
Deleted
Unchanged

You can also filter on a status by selecting the column header and choosing the status you want to view:

Clicking this icon will take you direct to the object in the Application Investigation view.

Distribution

Column	Explanation
Object Name Location	Displays the object name.
Status	Displays the status of the object in comparison to the previous snapshot - e.g.: Added Updated Deleted Unchanged You can also filter on a status by selecting the column header and choosing the status you want to view:

Measure

Measures only display the documentation.

Display rules

Each table displays Business Criteria, Technical Criteria and Rules/Distributions/Measures based on the following specific criteria:

Items are sorted by:
- Descending (worst to best) number of Violations in current snapshot
- If number of Critical Violations/Violations is identical, then the value in the Previous/Evolution columns is then also used to determine the display order
If the number of Critical Violations/Violations for an item is equal to 0 (i.e. no violations), the line is greyed out to indicate that this item has no violations and is therefore of no interest for remediation purposes. You can still consult the item by clicking it if necessary.
If the variation % in the Previous column is exactly 0, the variation is set to 0.00% and the item is greyed out. The variation % may be 0.00 if:
- there is no previous snapshot available to make a comparison
- or there has been no change between the current and previous snapshot
If the variation % displayed is 0.00 but has a very slight variation between the current and previous snapshots (for example 0.003), a tilde (~) is prepended to the front of the variation value to indicate the approximate value.
When the Previous % is identical to the Baseline %, this means that the Previous snapshot and the Baseline snapshot are one and the same (i.e. only two snapshots exist) or when only one single snapshot exists.
N/A is displayed for the variation if there is only one snapshot - the item cannot be consulted.

For Rules only:

The word "new" will be displayed in the % Evolution column when a Rule was not violated in the previous snapshot (the word "new" will never be displayed if there is only one snapshot).

Filtering

By default when using the Risk Investigation view, the entire Application content is displayed. However, you may be interested in investigating a subset of the Application (a specific module or a specific technology). Two filters are available for that purpose in the breadcrumb area, to the top right.

Module filter > When investigating any item in the Assessment Model, you can filter results with regard to a specific module. Please note that while drilling down, a technical criteria or a Rule may not apply to a specific module (e.g. a SQL Rule does not apply on a module that would not contain SQL technology, hence if the Rule is selected, filtering on the module to which it does not apply holds no meaning).
Module Search> The Search feature is now available in the module selector, and this feature displays all the available modules.

Technology filter > Same filtering applies to the Risk Investigation.
By default the filters are inactive (red text) and are only active when specifically selected (white text):

Some filtering may not be relevant as you drill down. If you are investigating a JEE specific Rule and try to filter on HTML5 technology (for example), we would get no data, hence, to make things clearer, the HTML5 technology filter option is be disabled (lighter grey color) in this context. This can apply at technical criteria or Rule level and in some rare cases, even from the Health Measure level:

When investigating a specific object, the filters are disabled as they are no longer relevant.
For numerous reasons (confusion, bookmarks or tiles leading to rules/objects in contexts), the filters are always reset when leaving the Risk Investigation pages.