Frequently Asked Questions about Security and Compliance

---

Overview

This document provides comprehensive answers to common security questions about CAST Imaging and related products. It covers key security aspects including secure development practices, compliance standards, authentication and authorization mechanisms, data protection, and system configuration options.

CAST Imaging leverages industry-standard security tools and frameworks, including Keycloak for identity and access management, TLS encryption for data in transit, and support for enterprise authentication methods (LDAP, SAML). The platform follows secure development practices with regular SAST/DAST scanning, complies with standards such as FIPS 140-2, OWASP, and CWE Top 25, and maintains certifications through its GitLab-based source code repository (SOC 2 Type II, ISO 27001/27017).

This guide is intended for security teams, compliance officers, and system administrators evaluating or implementing CAST Imaging in their environments.

---

Secure Development Lifecycle (SDLC)

Q: Is security integrated at each phase of the SDLC?

A: Yes. During the development phase:

• Nightly security scans run on the main branch using trivy and also docker scout.
• Developers receive email alerts about vulnerabilities.
• JIRA tickets are created and assigned to component owners.

Q: How frequently are the applications subjected to security scans (such as SAST & DAST)?

A: Regular scans are conducted:

• DAST (Dynamic Application Security Testing) is performed annually.
• SAST (Static Application Security Testing) is done using CAST analyzers.

Q: Are there InfoSec policies governing the remediation of reported vulnerabilities?

A: Yes. During the release process:

• Full dependency scan required.
• Exception process for vulnerable but necessary dependencies.
• Risk assessment documentation is maintained. See example here: 3.5 - Security fixes.

---

Software Composition Analysis (SBOM)

Q: Please provide a Software Bill of Materials (SBOM) for the respective applications, including open-source software.

A: An SBOM is available in CycloneDX format. Contact CAST Support team .

Q: Is the SBOM in an NTIA or CISA-approved machine-readable format?

A: Yes.

---

Source Code & Repository Management

Q: Is the source code stored in a version-controlled repository with audit trails?

A: Yes. All code and configuration-as-code are stored on GitLab.com, which is:

• SOC 2 Type II certified
• ISO 27001 & 27017 certified
• More info: GitLab Security 

---

Code Signing & Integrity

Q: Is code signing and hashing used to ensure integrity?

A: Yes. SHA-256 is used for hashing.

---

FIPS 140-2 Compatibility (Federal Information Processing Standards)

Q: Is the application compliant with FIPS 140-2?

A: Yes. We use Keycloak, which supports FIPS 140-2: Keycloak FIPS 

---

Common Security Threats

Q: How does your software defend against common security threats (e.g., XSS, Buffer Overflow, MITM, etc.)?

A: We follow secure development standards, comply with CWE Top 25 (2021) and OWASP 2021/2025, and monitor using our CAST Security Dashboard.

---

Data Protection & Key Management

Q: What solutions are used for encryption key management (e.g., KMS, HSM)?

A: SSL connections are used between modules. For support-related code transfers, anonymization tools are provided.

---

Securing Communications (HTTPS)

CAST Imaging supports HTTPS to encrypt communications between its components and users, ensuring data confidentiality and integrity. Implementing HTTPS is also a prerequisite for enabling SAML authentication.

CAST offers detailed instructions for configuring HTTPS across various deployment environments:

• Microsoft Windows: Guidance on generating key pairs, configuring services like SSO, Gateway, and Authentication, and updating necessary configuration files.
• Linux via Docker: Steps to set up HTTPS within Docker-based deployments, including certificate management and service configuration.

For detailed instructions, refer to the official documentation: Configure HTTPS in CAST Imaging.

---

Identity & Access Management

Q: What authentication/authorization methods are used for CAST Imaging?

A: Local, LDAP, SAML (via Keycloak)

Q: Does CAST use PAM (Privilege Access Management) for admin logins?

A: No PAM. Keycloak is used for IAM (Identity Access Management).

Q: What roles are available?

A: For CAST Imaging 3, the roles are listed in the following page: User Permissions.

More information about CAST Console 2 and CAST Imaging 2 is available here:

• CAST Imaging Roles
• CAST Console authentication

Q: Will SSO via ADFS be enabled?

A: This is optional. Keycloak supports LDAP/SAML.

Q: In absence of SSO, how are users onboarded?

A: Via Keycloak with local, LDAP, or SAML.

Q: What are the password policies?

A: They are configurable in Keycloak for Local user authentication: complexity, length, expiration.

Q: Account lockout/session timeout?

A: This is configurable in Keycloak.

Q: Is 2FA supported?

A: Yes, it is configurable in Keycloak.

Q: Can integration with centralized access management be done?

A: Yes. Keycloak supports SAML, LDAP.

Q: Does CAST have access to the admin module post-deployment?

A: No default access. Temporary access for support is controlled, limited, and logged.

---

Data Access & Monitoring

Q: Does CAST have access to backend data (S3, DB)?

A: No default access.

Q: Can the admin console integrate with PAM for audit?

A: Yes, via Keycloak APIs and logs, depending on PAM.

---

Database Security and Encryption

Q: Are database links (DB-Links) used in CAST products?

A: No. CAST products do not use any database links (DB-Links), which helps reduce the risk of unauthorized or unintended cross-database access. Interactions with the storage layer are controlled and secured.

Q: Are database connections encrypted?

A: Database connections are secured when using SSL encryption to ensure confidentiality and integrity of data in transit. For technical implementation, refer to: Configuring certificate-based authentication for database connections

Q: Do the cryptographic protocols comply with institutional policies?

A: Yes. CAST uses TLS v1.2, the protocol supported by PostgreSQL, which aligns with institutional cryptographic policies and standard compliance requirements.

Q: Is there a defined process for data imports into the database?

A: CAST products do not import data into the database from external sources. The analysis is based on source code provided directly by the customer. There is no automated or periodic data ingestion process.

Q: How is database monitoring handled?

A: Database monitoring is not managed by the CAST platform itself. It is the responsibility of the customer to monitor critical parameters, events, and operational states of the PostgreSQL database using their preferred tools and procedures.

Q: Is database encryption at rest implemented?

A: It depends on the deployment environment.

• For cloud-based deployments, database encryption at rest depends on the cloud provider’s capabilities. Most major providers (such as AWS, Azure, or GCP) support encryption at rest using AES-256 or equivalent standards.
• For on-premise installations, encryption at rest is not configured by default.

Q: In the event of a system failure, does CAST Imaging 3 preserve information necessary for troubleshooting and recovery? (V-222586)

A: The product captures diagnostic and operational data through structured logging. Logs include errors, stack traces, and contextual details for root cause analysis and recovery. Additional documentation is being prepared to specify which data should be backed up for operational recovery.

Q: Does CAST Imaging 3 protect against command injection?

A: The application does not execute system commands or shell operations. All functionality is implemented through secured APIs and services. External integrations use authenticated REST APIs only.

Q: Are CAST Imaging 3 services and interfaces IPv6 compatible?

A: No. CAST Imaging 3 is not compatible with IPv6 networks.

Q: Does CAST Imaging 3 have an incident response plan for application-level issues?

A: CAST Imaging 3 is regularly scanned using Trivy. High and critical vulnerabilities are remediated. Reported incidents are managed via support tickets, with escalation to R&D and permanent fixes when required.

---

User Sessions and Authentication

Q: Does the system limit the number of concurrent user sessions?

A: CAST Imaging uses Keycloak to manage user sessions. Session limits can be configured as described in the Keycloak Administration Guide.

Q: Does the system automatically terminate or lock sessions after inactivity or timeout?

A: By default, CAST Imaging does not automatically terminate or lock sessions after inactivity or timeout. However, this behavior can be configured through Keycloak settings to enforce session termination or lockout after a defined period of inactivity.

Q: Does the system provide users with the ability to log out and terminate their session?

A: Users can log out at any time to end their session. Upon logout, they are redirected to the Keycloak login page, confirming secure session termination.

---

Account Management and Access Control

Q: Does the system disable inactive or deactivated accounts?

A: CAST Imaging inherits account status from external directories such as LDAP or Active Directory. If an account is disabled there, it is automatically unusable in Keycloak.

Q: Are privileged accounts restricted to authorized administrators?

A: Only designated administrators can access privileged functions in CAST Imaging. Standard users have no administrative privileges.

Q: Does the system enforce logical access control and role-based authorization?

A: CAST Imaging enforces role-based access control through Keycloak, ensuring users access only authorized data and functionalities.

Q: Can administrators immediately disable user access or remote sessions?

A: Administrators can disable accounts in Keycloak to immediately revoke access and terminate active sessions.

Q: Does the system enforce account lockout after repeated failed login attempts?

A: By default, CAST Imaging (via Keycloak) does not enforce account lockout after repeated failed login attempts. However, this feature can be configured in Keycloak’s administrative console as described in the Keycloak Administration Guide.

---

Session and Communication Security

Q: Does the system protect data in transit and at rest?

A: Data in transit is encrypted with TLS. Data at rest is not encrypted but protected through secure access controls.

---

Audit and Logging

Q: Does the system generate audit logs capturing key user and system events?

A: By default, CAST Imaging does not generate audit logs. However, when the audit logging option is enabled in Keycloak, the system records key user and system events, including event type, source, timestamp, and outcome.

Q: Are audit logs protected from unauthorized access or modification?

A: Access to audit logs is restricted to administrators. Role-based permissions prevent unauthorized viewing, editing, or deletion.

Q: Does the system log and audit account management actions (creation, modification, removal, enable/disable)?

A: Keycloak records account management actions when “Admin Event Logging” is enabled. Logs can be exported.