Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary: CAST AIP 8.3.24 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade

User Input Security

Rule documentation updates

The following changes have been applied to rule documentation (no impact on analysis results):


Avoid code injection

The Reference section has been updated to change the CWE reference from 78 to 94 and 95.

CAST Transaction Configuration Center

Change in behaviour when loading .TCCSetup configuration files (the automatic configuration refresh process)

Previously when uploading a .TCCSetup file which already existed and where the package-version of the file differs with the existing package-version in the Management schema, the following behaviour was used: each rule will be loaded with status active by default, except if the rule was present in the previous version, its definition is unchanged, and it had been manually deactivated by the user, in that case, the rule will be set to inactive as well.

From CAST AIP 8.3.23, this behaviour changes as follows (see also TCC - Working with standard configuration files (.TCCSetup)):

Each rule which was present in the previous version will be loaded with the same status as before, whichever the definition of this rule is the same or has changed. In this latter case, a warning will be logged to inform the user of this change, as in the example below where both the definition of an active Entry Point rule and of a deactivated End Point rule have both changed in a new version of the 'Base_HTML5' package:

WRN: -the rule "Standard Entry Point - HTML5 AspDotNet" (type='Transaction entry points') will remain active because although its definition has changed, it has the same name and type as the previously active rule "Standard Entry Point - HTML5 AspDotNet" (type='Transaction entry points').
WRN: -the rule "Standard End Point - HTML5" (type='Transaction end points') will remain deactivated because although its definition has changed, it has the same name and type as the previously deactivated rule "Standard End Point - HTML5 (type='Transaction end points').
  • No labels