As described in Deployment - security, to deploy CAST AIP securely, the various CAST AIP components are divided into two distinct groups known as Front and Back Office. A standard CAST AIP installation is described in Installing CAST AIP which you should read and understand. However, this section describes all the additional configuration that should be completed for the Front Office components (over and above the standard CAST AIP installation) to ensure that the deployment of CAST AIP conforms to security standards.
The Delivery folder is first and foremost a location used by the CAST AIC Portal for storing successive and compressed versions of an application's source code as packaged by the Delivery Manager(s) using the CAST Delivery Manager Tool. In addition, the CAST Management Studio also requires access to this same Delivery folder so that source code packaged by the Delivery Manager(s) can be acquired and then analyzed.
As such, the choice of location for the Delivery folder is extremely important and may impact where the CAST AIC Portal is installed.
CAST Storage Service
If you decide to use the CAST Storage Service (a dedicated database system provided by CAST) to host the Storage components (the CAST schemas: Management Service, Analysis Service, Dashboard Service and Measurement Service) instead of using a commercially available (and supported) RDBMS (such as Microsoft SQL Server or Oracle Server), you will need to use a dedicated physical machine.
You can deploy the CAST Storage Service either on Linux or Windows, however, for security and performance reasons, it is highly recommended to deploy the CAST storage Service on Linux:
- CAST provides a dedicated Windows installer (see Install CAST AIP) for the CAST Storage Service
- For Linux environments, please refer to deploying CAST Storage Service on Linux.
Web application server and web applications
The objective is to configure the CAST web applications in accordance with OWASP (Open Web Application Security Project) guidelines. This configuration has been tested by CAST via a security audit. To secure the web applications, you will need to configure:
- The web application server on a dedicated machine (CAST provides documentation for deployment on Apache Tomcat only. Other web application servers may be compatible (see Supported Platforms), but no documentation is provided).
- Each web application (i.e. the CAST AIC Portal, Health Dashboard (HD), Engineering Dashboard (ED) etc.):
- Use of Active Directory/LDAP authentication methods
- Use of the Audit Trail to trace end user activities
- Secure configuration of back-end database access (only relevant for the HD/ED/RestAIP web applications)
Web application server
- Configuring the use of secure https protocol with Tomcat for the CAST web applications
- Setting up a Reverse Proxy on Apache web server
- Disabling insecure HTTP methods in Apache Tomcat - webdav
- Disabling weak SSL cipher suites to improve security
CAST AIC Portal
Securely configure the CAST AIC Portal as described in CAST AIC Portal - security configuration options. This page details the following security configuration options:
- CAST AIC Portal - Configuring user authentication
- CAST AIC Portal - Configuring the Audit Trail feature
- CAST AIC Portal - Encrypt login and password for LDAP
AAD - AED - RestAPI
Securely configure the Health Dashboard / Engineering Dashboard / CAST Rest-API as described in AAD - ED - RestAPI - security configuration options. This page details the following security configuration options:
End-users / Delivery Managers and the CAST Delivery Manager Tool
The CAST Delivery Manager Tool is a standalone end-user tool that entirely manages the discovery, selection, extraction and delivery of source code ready for analysis in the CAST Management Studio. The CAST Delivery Manager Tool will be prevented from being downloaded from the CAST AIC Portal to a workstation if the following Java JRE settings available in the Java Control Panel are all enabled:
Security Level set to Very High
|Java 7||Java 8|
- Perform certificate revocation checks on is set to All certificates in the chain of trust
- Check for certificate revocation using is set to Online Certificate Status Protocol (OCSP)
CAST recommends that ONE of the following settings is used instead:
- Set the Security Level to High
- Set Perform certificate revocation checks on to Publisher’s certificate only
- Set Check for certificate revocation using to Certifcate Revocation Lists (CRLs)
- Set Check for certificate revocation using to Both CRLs and OCSP
- Put the CAST AIC Portal’s URL into the Exception Site List in the (Security tab of the Java Control Panel):