Security Analyzer - 1.1
Technical information
- com.castsoftware.securityanalyzer is compatible with Core ≥ 8.3.44 and ≥ 8.4.0.
- Once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.
In what situation should you install this extension?
This extension is used as part of the “User Input/Security Dataflow” feature available in CAST. It detects improper user input validation API calls (REST, JMS, etc.), second order injections, hard-coded elements, correct values for encryption APIs, and more in your application source code, which can lead to the following security vulnerabilities:
- SQL Injection (CWE-89)
- Cross-Site Scripting (CWE-79)
- LDAP Injection (CWE-90)
- OS Command Injection (CWE-78)
- XPath Injection (CWE-91)
- Path Manipulation (CWE-99)
- Avoid Log forging vulnerabilities (CWE-117)
- Avoid uncontrolled format string (CWE-134)
- Trust Boundary Violation (CWE-501)
- Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute (CWE-614)
- Use of hard-coded credential (java, C#, VB.Net languages) (CWE-798)
In addition, the extension provides additional rules, and it computes (for JEE and .NET only) a large set of security rules, requiring dataflow technology. Detailed information about how com.castsoftware.securityanalyzer functions can be found in:
Transactions
Transaction support is derived from metamodel concepts used to build CAST Imaging Blueprint and structural transaction flows. Entry Points start transactions; Exit Points include both output/boundary concepts and Data Entities manipulated by transactions.
| Role | Support | Breakdown |
|---|---|---|
| Entry Point | No direct concept type details | |
| Exit Point | No direct concept type details |
Data version: 1.1.7-funcrel
ISO 5055 Structural Rules
Quality support is based on ISO 5055 structural rules available for the selected extension version. Counts are grouped by ISO 5055 characteristic.
| Reliability | Maintainability | Security | Performance Efficiency |
|---|---|---|---|
Data version: 1.1.7-funcrel
Supported technologies
| Technology | Supported |
|---|---|
| JEE | ✅ |
| .NET | ✅ |
Prerequisites
User Input Security analyses require a minimum of 32GB RAM on the target node.
Download and install the extension
- V1/V2: the extension must be downloaded manually if it is required.
- V3: the extension will be automatically installed when the Security Dataflow feature is enabled as described in Security Dataflow.
Quality rules
- 1.1.7-funcrel
- 1.1.6-funcrel
- 1.1.5-funcrel
- 1.1.4-funcrel
- 1.1.3-funcrel
- 1.1.2-funcrel
- 1.1.1-funcrel
- 1.1.0-funcrel
- 1.1.0-beta1
Other rules calculated by the Security Analyzer are provided in Core.