Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Panel
bgColor#F0F0F0

On this page:

Table of Contents
maxLevel4


Info
Summary: this page describes the new features and bugs that have been fixed in the CAST Security Dashboard 1.8.0.

Content matrix

VersionSummary of content
1.8.0
  • Default Security tiles have been renamed and now show different content
  • Education and Continuous Improvement introduced
  • Educate option in Advanced search results now available
  • Session time-out re-design

Resolved issues

Internal IDCall IDSituation
DASHBOARDS-564-Dashboard truncates "Rational" text in the violation drill-down page.

New features

SEC-207 - Default security tiles have been renamed and now use different tags

The default tiles CWE and OWASP have been renamed and now use different tags:

Old NameOld TagNew NameNew Tag
CWECWECWE-Top25CWE-2011-Top25
OWASPOWASPOWASP-2017OWASP-2017

These tiles display the number of Violations or Critical Violations in the Application for rules that have the selected tag (i.e CWE-2011-Top25 and OWASP-2017). Clicking on these tiles navigates to the Risk investigation view with the specific tag selected at the top of the table . "All Rules" will be selected in the Technical Criteria table and the list of rules displayed will all be tagged with the selected tag:

Click to enlarge

DASHBOARDS-559 - Education List now has its own sidebar menu access

The Education List has been separated out from the Action Plan and Exclusions tabs and now has its own sidebar menu access title Education and Continuous Improvement. The Action Plan and Exclusions lists remain in their existing locations:

Education and Continuous ImprovementMonitor Actions and Exclusions

In addition, the Active column has now been replaced with the Action column:

Click to enlarge

Previously the Active column described (via a simple Yes/No) whether the rule would be added to the Action Plan when the next snapshot is run. The behaviour in the new Action column is the same but the wording has been changed:

  • Mark for continuous improvement - the violations associated to the rule will not be added to the Action Plan when the next snapshot is run
  • Mark for action - the violations associated to the rule will be added to the Action Plan when the next snapshot is run

Finally, when adding violations to the Education list, the popup dialog that is displayed has an option that will force the associated violations to be added to the Action Plan. Previously this option was called Active on next snapshot and is now adrop down list with two options: Mark for Action and Mark for continuous improvement (the behaviour is the same):

Click to enlarge:


DASHBOARDS-589 - New Continuous Improvement tile

A new tile has been added to the dashboard home page:

This tile shows the following information:

  • Removed Violations in the current snapshot
  • Added Violations in the current snapshot

No data is shown when a previous snapshot is activated. Clicking the tile will take you direct to the new Improvement tab, which is part of Education and Continuous Improvement.

Anchor
tab
tab
DASHBOARDS-704 - New Continuous Improvement tab

A new Improvement tab has been added to the new Education and Continuous Improvement option in the side bar menu:

What information does this tab provide?

Expand

This page allows you to view details/violations/statistics about the rules that have been selected for Education:

  • All the rules marked for "Education" are listed in the upper right corner, with a selector for all the rules. Selecting or deselecting a rule will update the statistics and graphs. By default, the first rule in the upper right corner will always be selected when accessing the Improvement tab:

  • Three violation status radio buttons listed in the bottom right corner - selecting a specific option will update the statistics and graphs about the rules that have been selected in the upper right corner:

  • A graph depicting violations count in the y-axis and snapshots date in the x-axis together with a Violations improvement-summary on top of the Graph:

  • Table showing a list of Violations in the current snapshot for all rules selected in the upper right corner:

When no rules have been added to the Education tab, the page will display:

When a previous snapshot is active, no data can be displayed in the Improvement tab and the following will be displayed:

Rules can be exported to Excel:

Violation statuses

Selecting one of the three Violation statuses will update the graphs as described below:

Expand



Added 

On selection of the Added status, the graph will display the number of Violations added in the current snapshot and the number of Violations added since initial snapshot for a selected rule. Hovering the mouse pointer over the graph tool tip text displays added violations count, snapshot version and snapshot date for that particular snapshot in the x-axis:

Removed

On selection of the Removed status, the graph will display the number of Violations removed in the current snapshot and the number of Violations removed since initial snapshot for a selected rule. Hovering the mouse pointer over the graph tool tip text displays added violations count, snapshot version and snapshot date for that particular snapshot in the x-axis:

Total

On selection of the Total status , the graph will display the number of Violations in current snapshot, percentage (number) of violations that have Increased since initial snapshot and the percentage of violations that have Increased since previous snapshot for a selected rule.  Hovering the mouse pointer over the graph tool tip text displays added violations count, snapshot version and snapshot date for that particular snapshot in the x-axis:

DASHBOARDS-470 - Advanced Search, implement clear all filter selection in one go

When using the Advanced Search feature, it is now possible to clear any selections that have been made in the list of results, in one go. Use the Clear Selection option in the option menu - all selections that have already been made (ticks in the check boxes) will be cleared:

DASHBOARDS-496 - Advanced search, ability to add items to Action Plan, Exclusion list and Education list

It is now possible to add items to the Action Plan, Exclusion list and Education list from the Advanced search results page, depending on the roles that the current user has been granted (i.e. if you do not have the appropriate role, you cannot add the item to the list):

Click to enlarge:

Info

Note that when a user has all available roles, the drop down options will be enabled as below:

  • Selector will be disabled if a Rule is added to Educate and violations (belonging to the rule) are added either to Action Plan or Exclusion:

  • Selector will be enabled when violation/rule is added only to Action plan/Exclusion/Educate. But respective drop-down option will be disabled:

DASHBOARDS-739 - Session timeout redesign

In order to comply with security standards, the way the dashboards handle session timeout has been re-designed. Users will now be notified when the dashboard detects a session timeout (i.e. there is no GET or POST activity) with an opportunity to continue the session (if within the timeout period) or log back in (if the timeout period has expired) to the system. The implementation is supported for all possible authentication modes: Default, LDAP and SAML.

On timeout, the following dialog box will be displayed - this indicates (in the upper right corner) how many seconds are remaining before a re-login will be required - the default remaining seconds is set to 10. Clicking Continue will return to the session without requiring a login:

Click to enlarge

If the Time left gets to 0, then the Continue button will be disabled and the re-login button will be activated. Clicking Re-login will return the user to the login screen where authentication is required to continue the session:

Click to enlarge

Info
Note that when SAML/SSO authentication is in operation, users will be redirected to the dashboard home page (i.e. no need to re-login) when they click the Re-Login button.

You can modify the remaining seconds before a login is required by editing the following files:

Code Block
languagetext
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json

Add the following line in the "configuration" parentheses, where xx = the number of seconds you want to define before a login is required:

Code Block
languagetext
"alertTimeoutInterval":xx,

For example, 30 seconds has been defined:

Code Block
languagetext
"configuration": {
    "defaultLanguage": "English",
    "description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
    "customLanguages": [],
    "requestAccess": false,
    "confirmLogout": true,
    "violationsCount" : 5000,
	"alertTimeoutInterval":30,