Security Standards
Extension ID
com.castsoftware.owasp-index
Description
This extension will compute:
- OWASP-2021 , OWASP-2017 , OWASP-2013 top 10 application security risks as technical criteria grades,
- CWE-2022 , CWE-2021 , CWE-2020 , CWE-2019 , CWE-2011 top 25 application security risks as technical criteria grades,
- PCI-DSS-V3.2.1, PCI-DSS-V3.1 security risks as technical criteria grades
All CAST rules that are tagged with a related tag will contribute to the various technical criteria provided by the extension, thereby allowing specific grades and rule violations to be reported.
Compatibility
| Product | Release | Supported |
|---|---|---|
| CAST Imaging Core | ≥ 8.3.24 | ✔️ |
| CAST Engineering Dashboard | ≥ 1.5 | ✔️ |
| CAST Health Dashboard | ≥ 1.17 | ✔️ |
| CAST Security Dashboard | ≥ 1.20 | ✔️ |
Supported indexes/standards
- OWASP 2021
- OWASP 2017
- OWASP 2013
- CWE 2022
- CWE 2021
- CWE 2020
- CWE 2019
- CWE 2011
- PCI DSS 3.2.1
- PCI DSS 3.1
Download and installation instructions
The extension will not be automatically downloaded and installed in CAST Console. If you need to use it, should manually install the extension.
Configuration requirements
Generate a snapshot
A new snapshot must be generated (after the extension is installed) before results can be viewed. If you do not immediately see changes in the dashboard, please consider restarting the dashboard service and/or emptying your browser cache.
Engineering Dashboard
Tiles
Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.18 of the Engineering Dashboard. See Engineering Dashboard tile management for more information.
Clicking on the tile navigates to Risk investigation view and the specified Industry Standard will be selected in the Health Factor table.
Health Dashboard
Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Grade, Compliance, and Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.17 of the Health Dashboard. See Health Dashboard tile management for more information. Clicking on any of these tiles will display a list of the rules that have been tagged with the specified standard as provided by the extension. Compliance percentage is also displayed in a “bubble”.
Example for cmp.json
Configuration to create a “gauge” tile at portfolio level (multi-app level) to show an OWASP-2017 A1-2017 tile:
{
"id": 1234,
"plugin": "IndustryStandards",
"color": "black",
"parameters": {
"type": "OWASP-2017",
"title": "OWASP-2017 A1-2017",
"widget": "gauge",
"industryStandard": {
"id": "1062321",
"indexID": "1062320",
"mode": "grade",
"format": "0.00",
"description": "OWASP-2017 A1-2017, in grade format"
}
}
}
Example for app.json
Configuration to create a “number of violations” tile at application level (single app level) to show an OWASP-2017 A1-2017 tile:
{
"id": 1236,
"plugin": "IndustryStandard",
"color": "orange",
"parameters": {
"type": "OWASP-2017",
"title": "OWASP-2017 A1-2017",
"industryStandard": {
"id": "1062321",
"indexID": "1062320",
"mode": "violations",
"format": "0,000",
"description": "OWASP-2017 A1-2017, in number of violations format"
}
}
}
What results can you expect?
Once the analysis/snapshot generation has completed, you can view the results in the dashboards:
Assessment Model
Various Business and Technical Criteria will be added by the extension:
OWASP 2021
| ID | Name | Type |
|---|---|---|
| 1062340 | OWASP-2021 | Business Criterion |
| 1062341 | A01-2021 | Technical Criterion |
| 1062342 | A02-2021 | Technical Criterion |
| 1062343 | A03-2021 | Technical Criterion |
| 1062344 | A04-2021 | Technical Criterion |
| 1062345 | A05-2021 | Technical Criterion |
| 1062346 | A06-2021 | Technical Criterion |
| 1062347 | A07-2021 | Technical Criterion |
| 1062348 | A08-2021 | Technical Criterion |
| 1062349 | A09-2021 | Technical Criterion |
| 1062350 | A10-2021 | Technical Criterion |
OWASP 2017
| ID | Name | Type |
|---|---|---|
| 1062320 | OWASP-2017 | Business Criterion |
| 1062321 | A1-2017 | Technical Criterion |
| 1062322 | A2-2017 | Technical Criterion |
| 1062323 | A3-2017 | Technical Criterion |
| 1062324 | A4-2017 | Technical Criterion |
| 1062325 | A5-2017 | Technical Criterion |
| 1062326 | A6-2017 | Technical Criterion |
| 1062327 | A7-2017 | Technical Criterion |
| 1062328 | A8-2017 | Technical Criterion |
| 1062329 | A9-2017 | Technical Criterion |
OWASP 2013
| ID | Name | Type |
|---|---|---|
| 1062300 | OWASP-2013 | Business Criterion |
| 1062301 | A1-2013 | Technical Criterion |
| 1062302 | A2-2013 | Technical Criterion |
| 1062303 | A3-2013 | Technical Criterion |
| 1062304 | A4-2013 | Technical Criterion |
| 1062305 | A5-2013 | Technical Criterion |
| 1062306 | A6-2013 | Technical Criterion |
| 1062307 | A7-2013 | Technical Criterion |
| 1062308 | A8-2013 | Technical Criterion |
| 1062309 | A9-2013 | Technical Criterion |
| 1062310 | A10-2013 | Technical Criterion |
CWE
| ID | Name | Type |
|---|---|---|
| 1066000 | CWE-2011 | Business Criterion |
| 1066001 | CWE-2019 | Business Criterion |
| 1066002 | CWE-2020 | Business Criterion |
| 1066003 | CWE-2021 | Business Criterion |
| 1066004 | CWE-2022 | Business Criterion |
| 1066122 | CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | technical-criterion |
| 1066178 | CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | technical-criterion |
| 1066179 | CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | technical-criterion |
| 1066189 | CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | technical-criterion |
| 1066220 | CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | technical-criterion |
| 1066231 | CWE-131 - Incorrect Calculation of Buffer Size | technical-criterion |
| 1066234 | CWE-134 - Use of Externally-Controlled Format String | technical-criterion |
| 1066290 | CWE-190 - Integer Overflow or Wraparound | technical-criterion |
| 1066350 | CWE-250 - Execution with Unnecessary Privileges | technical-criterion |
| 1066406 | CWE-306 - Missing Authentication for Critical Function | technical-criterion |
| 1066407 | CWE-307 - Improper Restriction of Excessive Authentication Attempts | technical-criterion |
| 1066411 | CWE-311 - Missing Encryption of Sensitive Data | technical-criterion |
| 1066427 | CWE-327 - Use of a Broken or Risky Cryptographic Algorithm | technical-criterion |
| 1066452 | CWE-352 - Cross-Site Request Forgery (CSRF) | technical-criterion |
| 1066534 | CWE-434 - Unrestricted Upload of File with Dangerous Type | technical-criterion |
| 1066594 | CWE-494 - Download of Code Without Integrity Check | technical-criterion |
| 1066701 | CWE-601 - URL Redirection to Untrusted Site (‘Open Redirect’) | technical-criterion |
| 1066776 | CWE-676 - Use of Potentially Dangerous Function | technical-criterion |
| 1066832 | CWE-732 - Incorrect Permission Assignment for Critical Resource | technical-criterion |
| 1066859 | CWE-759 - Use of a One-Way Hash without a Salt | technical-criterion |
| 1066898 | CWE-798 - Use of Hard-coded Credentials | technical-criterion |
| 1066907 | CWE-807 - Reliance on Untrusted Inputs in a Security Decision | technical-criterion |
| 1066929 | CWE-829 - Inclusion of Functionality from Untrusted Control Sphere | technical-criterion |
| 1066962 | CWE-862 - Missing Authorization | technical-criterion |
| 1066963 | CWE-863 - Incorrect Authorization | technical-criterion |
| 1066120 | CWE-20 - Improper Input Validation | technical-criterion |
| 1066194 | CWE-94 - Improper Control of Generation of Code (‘Code Injection’) | technical-criterion |
| 1066219 | CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer | technical-criterion |
| 1066225 | CWE-125 - Out-of-bounds Read | technical-criterion |
| 1066300 | CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor | technical-criterion |
| 1066369 | CWE-269 - Improper Privilege Management | technical-criterion |
| 1066387 | CWE-287 - Improper Authentication | technical-criterion |
| 1066395 | CWE-295 - Improper Certificate Validation | technical-criterion |
| 1066500 | CWE-400 - Uncontrolled Resource Consumption | technical-criterion |
| 1066516 | CWE-416 - Use After Free | technical-criterion |
| 1066526 | CWE-426 - Untrusted Search Path | technical-criterion |
| 1066576 | CWE-476 - NULL Pointer Dereference | technical-criterion |
| 1066602 | CWE-502 - Deserialization of Untrusted Data | technical-criterion |
| 1066711 | CWE-611 - Improper Restriction of XML External Entity Reference | technical-criterion |
| 1066872 | CWE-772 - Missing Release of Resource after Effective Lifetime | technical-criterion |
| 1066887 | CWE-787 - Out-of-bounds Write | technical-criterion |
| 1066622 | CWE-522 - Insufficiently Protected Credentials | technical-criterion |
| 1066177 | CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | technical-criterion |
| 1066376 | CWE-276 - Incorrect Default Permissions | technical-criterion |
| 1067018 | CWE-918 - Server-Side Request Forgery (SSRF) | technical-criterion |
| 1066462 | CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | technical-criterion |
PCI DSS
| ID | Name | Type |
|---|---|---|
| 1063000 | PCI-DSS-V3.1 | Business Criterion |
| 1063001 | PCI-DSS-V3.2.1 | Business Criterion |
| 1063101 | PCI-Requirement-1.3.8 - Do not disclose private IP addresses and routing information to unauthorized parties. | technical-criterion |
| 1063103 | PCI-Requirement-2.2.4 - Configure system security parameters to prevent misuse. | technical-criterion |
| 1063108 | PCI-Requirement-3.6.1 - Generation of strong cryptographic keys | technical-criterion |
| 1063109 | PCI-Requirement-4.1 - Use strong cryptography and security protocols | technical-criterion |
| 1063112 | PCI-Requirement-6.2 - Ensure all Systems and Software are Protected from Known Vulnerabilities | technical-criterion |
| 1063113 | PCI-Requirement-6.3.1 - Remove Development and Test Accounts, User IDs, and Passwords Before Release | technical-criterion |
| 1063114 | PCI-Requirement-6.5.1 - Injection flaws, particularly SQL injection | technical-criterion |
| 1063115 | PCI-Requirement-6.5.10 - Broken authentication and session management | technical-criterion |
| 1063116 | PCI-Requirement-6.5.2 - Buffer overflows | technical-criterion |
| 1063117 | PCI-Requirement-6.5.3 - Insecure cryptographic storage | technical-criterion |
| 1063118 | PCI-Requirement-6.5.4 - Insecure communications | technical-criterion |
| 1063119 | PCI-Requirement-6.5.5 - Improper error handling | technical-criterion |
| 1063120 | PCI-Requirement-6.5.6 - All high risk vulnerabilities | technical-criterion |
| 1063121 | PCI-Requirement-6.5.7 - Cross-site scripting (XSS) | technical-criterion |
| 1063122 | PCI-Requirement-6.5.8 - Improper access control | technical-criterion |
| 1063123 | PCI-Requirement-6.5.9 - Cross-site request forgery (CSRF) | technical-criterion |
| 1063126 | PCI-Requirement-8.2.1 - Using strong cryptography | technical-criterion |
Engineering Dashboard
Out of the box, results are displayed in a specific interface - click the relevant Assessment Model option to view the results:
For example, for OWASP 2013 and 2017:
Health Dashboard
Out of the box, no results are provided. Tiles can be configured manually as described above.
Security Dashboard
Out of the box, OWASP results are displayed in a specific interface - click either the OWASP-2013 or OWASP-2017 Assessment Model options (after clicking the Risk Investigation tile in the Application home page) to view the results:
RestAPI
The RestAPI can be used to query both the Dashboard (AED) and Measurement (AAD) schemas for results, for example for OWASP results:
