Summary: this page describes the security standards that CAST supports via the standard CAST AIP Quality Model.
CAST AIP provides support for a wide range of security rules that are established by leading industry research and standards on security vulnerabilities. These security rules are originated from established standards such as:
- Open Web Application Security Project (OWASP) Top 10 - OWASP Top 10 provides a list of the 10 most critical web application security risks.
- Common Weakness Enumeration (CWE) Top 25 – CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software.
- Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS provides an actionable framework for developing a robust payment card data security process.
- Consortium for IT Software Quality (CISQ) / OMG Automated Source Code Security Measure Standard - MITRE has participated in the CISQ initiative to specify an automated source code security measurement standard, derived from the CWE Top 25 by focusing on automatable measurements. Please also refer to MITRE own communication about their work with the CISQ:
- International Organization for Standardization - ISO-5055 - https://www.iso.org/standard/80623.html
CAST documents its rule sets in the structural rule portal. Rules can be browsed according to the standard they meet:
Rules and standards are continually evolving so please check the rules portal for the most up-to-date list of supported standards.