Development life-cycle

Third party software

Preservation of intellectual property rights on third-party software

When adding a third-party source code library, we verify that intellectual property rights are preserved. A page in our official documentation describes all uses of third-party source code (See https://doc.castsoftware.com/legal/open-source/) and which license is specified.

Update of third party software

Third-party components used within CAST developments must regularly be updated to new versions to get fixes and improvements. This is done by the team at the occasion of the start of each major version or when required by a new functional need. For most components, testing will be performed during Dev and QA stages without specific study on each component. For some specific component with direct and important impact on security (database access, authentication, etc.), information about the new version included in the product will be given on Change Management request for the production release to allow verification on known security flaw for the component. Upgrade of a third-party component may also be proposed by IT administrators when a known vulnerability is solved by a patch. The request is done through a Change Management request and depending on the severity of the vulnerability may need to be tested and implemented as soon as possible.

Third-party source access and integrity

Third-party software is loaded from trusted source using package manager including checksum validation operations.

Pre-Release malware scanning

As part of CAST’s software release process, all product binaries and installation media undergo comprehensive malware scanning before publication. This security measure ensures that distributed software is free from malicious code and safe for customer deployment.

Scanning process

Each release version is scanned using enterprise-grade antivirus solutions prior to distribution. The scanning process includes:

Scan engine: Sentinel Agent , Trivy , Grype
Scan scope: Complete installation media and all executable binaries
Scan timing: Performed immediately before official release
Detection focus: Malware, malicious code, trojans, and executable threats

All scans are conducted with up-to-date virus definitions to ensure maximum protection against current threats.

What we scan

The malware scanning process covers:

Installation media packages
All executable binaries (.exe, .dll, etc.)
Software distributed through authorized CAST delivery channels
Product-specific installers and components

Verification methods

CAST provides multiple layers of security verification:

Malware scanning

Each release receives a clean bill of health from antivirus scanning before distribution.

Integrity verification

Customers can independently verify software authenticity using:

SHA-256 checksums: Each installer is protected by a cryptographic checksum
Official checksum publication: Checksums are published on the CAST Extend platform
Independent verification: Customers can verify installer integrity after download

Certification

CAST certifies that all released software versions are free from malware and known executable threats at the time of publication. Each major release includes documentation confirming:

Malware scan completion date
Scan results (clean/no threats detected)
Applicable scope (installation media and binaries)

Security practices

CAST implements comprehensive security practices throughout the software development life-cycle to protect sensitive data, manage vulnerabilities, and ensure secure deployments. These practices are integrated into our CI/CD pipeline and enforced across all product releases.

Dependency management

Vulnerability scanning

Every release undergoes automated security scanning using industry-standard tools:

Trivy : Container and dependency vulnerability scanning
Docker Scout : Docker image security analysis
Continuous monitoring: Scans integrated into CI/CD pipeline

Pipeline integration

Our deployment pipeline includes mandatory security checkpoints:

1. build          → Compile code, run tests
2. security-scan  → Run Trivy and Docker Scout
3. deploy-int     → Deploy to integration (if scans pass)
4. release-test   → Quality assurance testing
5. release-prod   → Production release

Key Feature: Deployments are automatically blocked if critical/high security issues are detected during the security-scan stage.

An explanation of the terms “critical” and “high” for security vulnerabilities can be found in https://www.first.org/cvss/v3.1/specification-document .

Compliance and reporting

Security scan results are:

Reviewed for every release
Documented in release notes
Tracked for trending and metrics
Used for continuous improvement of security posture