|Version||Summary of content|
RestAPI APIKey for SAML authentication
If you have enabled SAML authentication mode for your CAST Security Dashboard/RestAPI deployment, some clients applications may not be able to authenticate. This is because SAML is designed as a single sign-on mode for browsers and therefore non-browser clients cannot use the protocol. In order to resolve this issue, CAST provides the ability to define an API Key in the CAST Security Dashboard/RestAPI that can be used to bypass SAML authentication.
How does this work?
- SAML authentication mode is enabled and configured for your CAST Security Dashboard/RestAPI deployment
- In addition, an API Key is defined in the security.properties file in your CAST Security Dashboard/RestAPI deployment
- The API Key is used instead of a password to authenticate
- Clients must use two specific HTTP headers to ensure that the API Key is used
- X-API-KEY: the API Key matching the key defined in the security.properties file
- X-API-USER: a defined user name to obtain a CAST Security Dashboard/RestAPI role and data authorization
- When an API Key is used to bypass SAML mode, the user will be automatically granted the "ADMIN" role even if this role has not explicitly been granted to the user in question.
You can find out more about this in CAST Dashboard Package - RestAPI authentication using an API key.
Injecting custom tags
If you need to use custom tags in the GUI features described above, you can manually inject them using CURL. For example:
Where data.csv contains the custom tags you wish to inject, using a rule ID and custom tag pair on each line as follows:
See also: Health Results Resources - 1.11.0.
Easy method for locating violations added to Action Plan or Exclusions list
The icons displayed in the violation lists in the Application Investigation, Risk Investigation and Transaction Investigation views to depict violations that have been added to the Action Plan or Exclusion list are now clickable. Clicking the icons will take you direct to the Action Plan/Exclusion List and highlight the violation.
Following icons are now clickable:
Highlighted violation on clicking an icon:
Ability to view parameter names and values for parameterized rules
After selecting any "parameterized" rules (only legacy rules), it is now possible to see the Parameter Details section under the "Violation Details" section. The Parameter Details section displays Parameter Name along with the values of the Parameter Details.
Ability to add a Custom Report category
It is now possible to add your own Custom Report category, alongside the existing default "Custom Report" category. This custom category can then be populated with custom reports in exactly the same way as the default "Custom Reports" category. See Security Dashboard - Report Generation configuration for more information.
Improvement to Show More button
The behaviour of the Show More button has been improved in this release. Now when choosing to show additional violations using the +10, +100 or All options, the list of violations will anchor to the next set of violations instead of resetting and anchoring to the start of the list. The Show More button is available in various pages throughout the dashboard:
Basic Search results now exclude critical rules when "Only critical violations" filter is active
The Basic Search will now exclude rules flagged as critical from the search results when the Only critical violations filter is active. When searching for a non-critical rule and the Only critical violations filter is active, a message will be displayed stating No results were found to match your search. In previous releases, non-critical rules were included in the search results even when the Only critical violations filter was active.
Basic Search and Only critical violations filter are located in the top menu bar:
Background Facts tiles
It is now possible to configure a tile to display Background Facts that you have manually configured and uploaded during the snapshot generation (see Background Facts and Business Value Metric upload). The tile can display information about one metric that you have defined in the uploaded Background Facts file. See CAST Dashboard Package - Engineering Dashboard tile management for more information about configuring the tile.
New CODE_RESTRICTED role
A new role has been implemented in this release: CODE_RESTRICTED. This role can be granted to users who do not have the right to view source code in the Security Dashboard. For example:
- when drilling down in the Risk Investigation view
- when drilling down in the Action Plan and Exclusion lists
- when clicking More Violation Paths for security based rules
To enable the role, see Configuring user roles. When enabled, a message is displayed in the Dashboard as follows:
Click to enlarge:
Advanced Search - Transactions ordered by TRI value and ability to filter on Business Risk driver
The Advanced Search for Transactions has been modified:
- Transactions are now ordered by risk level (i.e. the Transaction Risk Index (TRI) value: TRI is an indicator of the riskiest transactions of the application. The TRI number reflects the cumulative risk of the transaction based on the risk in the individual objects contributing to the transaction. The TRI is calculated as a function of the rules violated, their weight/criticality, and the frequency of the violation across all objects in the path of the transaction. TRI is a powerful metric to identify, prioritize and ultimately remediate riskiest transactions and their objects.)
- It is possible to filter based on a Business Risk driver such as Efficiency, Robustness, Security or None
Add custom filters to Action Plan based on 'Comment', 'Priority' and 'Status' columns
In the Action Plan list it is now possible to filter the table by Priority, Status and Comment columns. The count for 'added', 'pending' and 'solved' will therefore adjust depending on the selected filter. Filter icons are now added to the column headings:
- Priority - options are taken from the ced.json file, for example: All tags, low, moderate, high, extreme.
- Status - options are set by default and cannot be edited: added, pending, solved.
- Comment - type in the "SEARCH ON COMMENTS" box on the right hand side . When there is no match found for desired search it will show "No Violations found".
Export rule details to XLSX file from Application Investigation view
It is now possible to export rule details to an Excel compatible XLSX file from the Application Investigation view:
The resulting XLSX file will contain the following details: