Page tree
Skip to end of metadata
Go to start of metadata

Summary: This page provides information about the Security Analyzer extension for JEE and .NET.

Extension ID

com.castsoftware.securityanalyzer

What's new?

Please see Security Analyzer - 1.0 - Release Notes for more information.

Technical information

When installed, this extension replaces the Security Analyzer embedded in CAST AIP Core:

  • The Security Analyzer embedded in AIP Core will continue to exist and will be shipped "out of the box" with AIP Core.
  • Critical bugs will continue to be fixed in the Security Analyzer embedded in AIP Core but no new features or functionality will be added.
  • The Security Analyzer extension will have exactly the same features and functionality on release as the Security Analyzer embedded in AIP Core, therefore analysis results will be identical.
  • The Security Analyzer is compatible with AIP Core ≥ 8.3.44.
  • All future development of the Security Analyzer (new features, functionality etc.) will be completed in the Security Analyzer extension only. Critical bug fixes will be fixed in the Security Analyzer extension (as well as the analyzer embedded in AIP Core).
  • The behaviour is as follows:
    • Nothing is automatic - for both AIP Console and "legacy" CAST AIP deployments, the Security Analyzer extension must be manually downloaded and installed in order to use it.
    • If the extension is installed, CAST AIP Console/CAST Management Studio will automatically detect that it exists and will use the extension rather than the analyzer embedded in AIP Core.
    • Once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.

In what situation should you install this extension?

You should install this extension when you want to detect improper user input validation in your application's source code, which can lead to the following security vulnerabilities:

  • SQL Injection (CWE-89)
  • Cross-Site Scripting (CWE-79)
  • LDAP Injection (CWE-90)
  • OS Command Injection (CWE-78)
  • XPath Injection (CWE-91)
  • Path Manipulation (CWE-99)
  • Avoid Log forging vulnerabilities (CWE-117)
  • Avoid uncontrolled format string (CWE-134)
  • Trust Boundary Violation (CWE-501)
  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
  • Use of hard-coded credential (java, C#, VB.Net languages) (CWE-798)

Function Point, Quality and Sizing support

This extension provides the following support:

Function Points
(transactions)
(error)A green tick indicates that OMG Function Point counting and Transaction Risk Index are supported.
Quality and Sizing(tick)A green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist.

AIP Core compatibility

This extension is compatible with:

AIP core release

Supported

≥ 8.3.44(tick)

Supported DBMS servers

This extension is compatible with the following DBMS servers:

CAST Storage Service/PostgreSQL(tick)

Supported technologies

JEE

(tick)

.NET(tick)

Prerequisites

(tick)An installation of any compatible release of AIP core (see table above)
(tick)User Input Security analyses require a significant of free RAM memory on the target AIP Node - see CAST AIP for Dashboards - Hardware requirements.

Download and install the extension

The Security Analyzer extension must be downloaded manually using the Available Extensions interface in AIP Console. See Download an extension using AIP Console and Application - Extensions.

Detailed information

Detailed information about how the Security Analyzer functions can be found in the following pages:

Rules provided by the extension

Please find the list of rules here:

Other rules calculated by the Security Analyzer are provided in AIP Core.

  • No labels