Purpose
The purpose of this How-To post is to explain how to check your application for security flaws.
The different actions presented here have been done with AIP Console 1.9.0.
Use case
As an Application Owner you on-boarded an application in AIP Console and you want to check if contains any security flaw. This can be done by using the User Input Security Analysis feature and, for that, you must have analyzed a version and generated a snapshot.
About User Input Security Analyzer
The User Input Security Analyzer is a very powerful feature delivered within the CAST AIP platform. It performs a deep source code scan, to identify all paths from user input methods to specific methods accessing data and finds out the paths that have not been secured. This contributes to a specific subset of security rules supported by the CAST AIP platform. The rest of the security rules (there are a lot) are not based on the dataflow technique.
Since version 8.3.8 of CAST AIP performance has increased significantly:
- In terms of run-time
- In memory consumption
- Accuracy in results, with a very low number of false negatives.
See below the latest CAST OWASP benchmark:
Enabling the feature
The User Input Security Analysis is available for only JEE and DotNet technologies. If your application contains these technologies, then go to the Config / SECURITY DATAFLOW page and activate the detection by using the corresponding slider:
Until you deactivate the detection, each time you will run a scan to produce a snapshot, the technology analyzers will generate intermediate code (aka Cast-IL) for all source files (of the considered technology) they will parse. This intermediate code will be then processed by the Security Dataflow Analyzer to search for unsecure paths between user input sources and user input targets.
User Input Security analysis findings
Once the scan completes, you can review the intermediate results produced by the Security Dataflow Analyzer.
Go to the Security Dataflow page:
The page shows 3 sections:
- Analysis Findings
- Analysis Status and
- Block Box
The first one presents the searches with the number of user input targets and sources, and the number of flaws that have been detected.
The second section indicates if the security dataflow analysis went well or not. In case the Dataflow analysis failed, it means that the values presented in above section may be not relevant.
The third section is dedicated to customizing the User Input Security Analysis with additional black-boxes. This requires the version 8.3.11 of CAST AIP to be installed on the Analysis Node. You will find more details on how to create a black-box in User Input Security - manually configuring blackbox methods. You can restart the detection by clicking the below button:
This will run only the Security Dataflow Analysis as the intermediate code is already available. Once completed, Analysis Findings table will be refreshed. However, it is only for tuning purpose. To propagate these results to the dashboard, you will have to produce a new analysis.
The outcome will look like: