This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.

Extension ID

com.castsoftware.owasp-index

Description

This extension will compute

All CAST rules that are tagged with a related tag will contribute to the various technical criteria provided by the extension, thereby allowing specific grades and rule violations to be reported.

Compatibility

ProductReleaseSupported
CAST Imaging Core≥ 8.3.24(tick)

CAST Engineering Dashboard

≥ 1.5(tick)
CAST Health Dashboard≥ 1.17(tick)
CAST Security Dashboard≥ 1.20(tick)

Supported indexes/standards

  • OWASP 2021
  • OWASP 2017
  • OWASP 2013
  • CWE 2022
  • CWE 2021
  • CWE 2020
  • CWE 2019
  • CWE 2011
  • PCI DSS 3.2.1
  • PCI DSS 3.1

Download and installation instructions

The extension will not be automatically downloaded and installed in CAST Console. If you need to use it, should manually install the extension.

Configuration requirements

Generate a snapshot

A new snapshot must be generated (after the extension is installed) before results can be viewed. If you do not immediately see changes in the dashboard, please consider restarting the dashboard service and/or emptying your browser cache.

Engineering Dashboard

Tiles

Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.18 of the Engineering Dashboard. See Engineering Dashboard tile management for more information.

Clicking on the tile navigates to Risk investigation view and the specified Industry Standard will be selected in the Health Factor table. 

Health Dashboard

Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Grade, Compliance, and Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.17 of the Health Dashboard. See Health Dashboard tile management for more information. Clicking on any of these tiles will display a list of the rules that have been tagged with the specified standard as provided by the extension. Compliance percentage is also displayed in a "bubble".

Example for cmp.json

Configuration to create a "gauge" tile at portfolio level (multi-app level) to show an OWASP-2017 A1-2017 tile:

{
  "id": 1234,
  "plugin": "IndustryStandards",
  "color": "black",
  "parameters": {
	"type": "OWASP-2017",
    "title": "OWASP-2017 A1-2017",
    "widget": "gauge",
    "industryStandard": {
		"id": "1062321",
		"indexID": "1062320",
		"mode": "grade",
		"format": "0.00",
		"description": "OWASP-2017 A1-2017, in grade format"
    }
  }
}

Example for app.json

Configuration to create a "number of violations" tile at application level (single app level) to show an OWASP-2017 A1-2017 tile:

{
  "id": 1236,
  "plugin": "IndustryStandard",
  "color": "orange",
  "parameters": {
	"type": "OWASP-2017",    
	"title": "OWASP-2017 A1-2017",
    "industryStandard": {
		"id": "1062321",
		"indexID": "1062320",
		"mode": "violations",
		"format": "0,000",
		"description": "OWASP-2017 A1-2017, in number of violations format" 
    }
  }
}

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the dashboards:

Assessment Model

Various Business and Technical Criteria will be added by the extension:

OWASP 2021

IDNameType
1062340OWASP-2021Business Criterion
1062341A01-2021Technical Criterion
1062342A02-2021Technical Criterion
1062343A03-2021Technical Criterion
1062344A04-2021Technical Criterion
1062345A05-2021Technical Criterion
1062346A06-2021Technical Criterion
1062347A07-2021Technical Criterion
1062348A08-2021Technical Criterion
1062349A09-2021Technical Criterion
1062350A10-2021Technical Criterion

OWASP 2017

IDNameType
1062320OWASP-2017Business Criterion
1062321A1-2017Technical Criterion
1062322A2-2017Technical Criterion
1062323A3-2017Technical Criterion
1062324A4-2017Technical Criterion
1062325A5-2017Technical Criterion
1062326A6-2017Technical Criterion
1062327A7-2017Technical Criterion
1062328A8-2017Technical Criterion
1062329A9-2017Technical Criterion

OWASP 2013

IDNameType
1062300OWASP-2013Business Criterion
1062301A1-2013Technical Criterion
1062302A2-2013Technical Criterion
1062303A3-2013Technical Criterion
1062304A4-2013Technical Criterion
1062305A5-2013Technical Criterion
1062306A6-2013Technical Criterion
1062307A7-2013Technical Criterion
1062308A8-2013Technical Criterion
1062309A9-2013Technical Criterion
1062310A10-2013Technical Criterion

CWE

IDNameType
1066000CWE-2011Business Criterion
1066001CWE-2019Business Criterion
1066002CWE-2020Business Criterion
1066003CWE-2021Business Criterion
1066004CWE-2022Business Criterion
1066122CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')technical-criterion
1066178CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')technical-criterion
1066179CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')technical-criterion
1066189CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')technical-criterion
1066220CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')technical-criterion
1066231CWE-131 - Incorrect Calculation of Buffer Sizetechnical-criterion
1066234CWE-134 - Use of Externally-Controlled Format Stringtechnical-criterion
1066290CWE-190 - Integer Overflow or Wraparoundtechnical-criterion
1066350CWE-250 - Execution with Unnecessary Privilegestechnical-criterion
1066406CWE-306 - Missing Authentication for Critical Functiontechnical-criterion
1066407CWE-307 - Improper Restriction of Excessive Authentication Attemptstechnical-criterion
1066411CWE-311 - Missing Encryption of Sensitive Datatechnical-criterion
1066427CWE-327 - Use of a Broken or Risky Cryptographic Algorithmtechnical-criterion
1066452CWE-352 - Cross-Site Request Forgery (CSRF)technical-criterion
1066534CWE-434 - Unrestricted Upload of File with Dangerous Typetechnical-criterion
1066594CWE-494 - Download of Code Without Integrity Checktechnical-criterion
1066701CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')technical-criterion
1066776CWE-676 - Use of Potentially Dangerous Functiontechnical-criterion
1066832CWE-732 - Incorrect Permission Assignment for Critical Resourcetechnical-criterion
1066859CWE-759 - Use of a One-Way Hash without a Salttechnical-criterion
1066898CWE-798 - Use of Hard-coded Credentialstechnical-criterion
1066907CWE-807 - Reliance on Untrusted Inputs in a Security Decisiontechnical-criterion
1066929CWE-829 - Inclusion of Functionality from Untrusted Control Spheretechnical-criterion
1066962CWE-862 - Missing Authorizationtechnical-criterion
1066963CWE-863 - Incorrect Authorizationtechnical-criterion
1066120CWE-20 - Improper Input Validationtechnical-criterion
1066194CWE-94 - Improper Control of Generation of Code ('Code Injection')technical-criterion
1066219CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffertechnical-criterion
1066225CWE-125 - Out-of-bounds Readtechnical-criterion
1066300CWE-200 - Exposure of Sensitive Information to an Unauthorized Actortechnical-criterion
1066369CWE-269 - Improper Privilege Managementtechnical-criterion
1066387CWE-287 - Improper Authenticationtechnical-criterion
1066395CWE-295 - Improper Certificate Validationtechnical-criterion
1066500CWE-400 - Uncontrolled Resource Consumptiontechnical-criterion
1066516CWE-416 - Use After Freetechnical-criterion
1066526CWE-426 - Untrusted Search Pathtechnical-criterion
1066576CWE-476 - NULL Pointer Dereferencetechnical-criterion
1066602CWE-502 - Deserialization of Untrusted Datatechnical-criterion
1066711CWE-611 - Improper Restriction of XML External Entity Referencetechnical-criterion
1066872CWE-772 - Missing Release of Resource after Effective Lifetimetechnical-criterion
1066887CWE-787 - Out-of-bounds Writetechnical-criterion
1066622CWE-522 - Insufficiently Protected Credentialstechnical-criterion
1066177CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')technical-criterion
1066376CWE-276 - Incorrect Default Permissionstechnical-criterion
1067018CWE-918 - Server-Side Request Forgery (SSRF)technical-criterion
1066462CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')technical-criterion

PCI DSS

IDNameType
1063000PCI-DSS-V3.1Business Criterion
1063001PCI-DSS-V3.2.1Business Criterion
1063101PCI-Requirement-1.3.8 - Do not disclose private IP addresses and routing information to unauthorized parties.technical-criterion
1063103PCI-Requirement-2.2.4 - Configure system security parameters to prevent misuse.technical-criterion
1063108PCI-Requirement-3.6.1 - Generation of strong cryptographic keystechnical-criterion
1063109PCI-Requirement-4.1 - Use strong cryptography and security protocolstechnical-criterion
1063112PCI-Requirement-6.2 - Ensure all Systems and Software are Protected from Known Vulnerabilitiestechnical-criterion
1063113PCI-Requirement-6.3.1 - Remove Development and Test Accounts, User IDs, and Passwords Before Releasetechnical-criterion
1063114PCI-Requirement-6.5.1 - Injection flaws, particularly SQL injectiontechnical-criterion
1063115PCI-Requirement-6.5.10 - Broken authentication and session managementtechnical-criterion
1063116PCI-Requirement-6.5.2 - Buffer overflowstechnical-criterion
1063117PCI-Requirement-6.5.3 - Insecure cryptographic storagetechnical-criterion
1063118PCI-Requirement-6.5.4 - Insecure communicationstechnical-criterion
1063119PCI-Requirement-6.5.5 - Improper error handlingtechnical-criterion
1063120PCI-Requirement-6.5.6 - All high risk vulnerabilitiestechnical-criterion
1063121PCI-Requirement-6.5.7 - Cross-site scripting (XSS)technical-criterion
1063122PCI-Requirement-6.5.8 - Improper access controltechnical-criterion
1063123PCI-Requirement-6.5.9 - Cross-site request forgery (CSRF)technical-criterion
1063126PCI-Requirement-8.2.1 - Using strong cryptographytechnical-criterion

Engineering Dashboard

Out of the box, results are displayed in a specific interface - click the relevant Assessment Model option to view the results:

For example, for OWASP 2013 and 2017:

Health Dashboard

Out of the box, no results are provided. Tiles can be configured manually as described above.

Security Dashboard

Out of the box, OWASP results are displayed in a specific interface - click either the OWASP-2013 or OWASP-2017 Assessment Model options (after clicking the Risk Investigation tile in the Application home page) to view the results:

RestAPI

The RestAPI can be used to query both the Dashboard (AED) and Measurement (AAD) schemas for results, for example for OWASP results: