Security Analyzer - 1.1

Extension ID

com.castsoftware.securityanalyzer

What’s new?

See Release Notes - 1.1.

Technical information

When installed, this extension replaces the Security Analyzer embedded in CAST Imaging Core:

  • The Security Analyzer embedded in CAST Imaging Core will continue to exist and will be shipped “out of the box” with CAST Imaging Core.
  • Critical bugs will continue to be fixed in the Security Analyzer embedded in CAST Imaging Core but no new features or functionality will be added.
  • The Security Analyzer extension will have exactly the same features and functionality on release as the Security Analyzer embedded in CAST Imaging Core, therefore analysis results will be identical.
  • The Security Analyzer is compatible with CAST Imaging Core ≥ 8.3.44.
  • All future development of the Security Analyzer (new features, functionality etc.) will be completed in the Security Analyzer extension only. Critical bug fixes will be fixed in the Security Analyzer extension (as well as the analyzer embedded in CAST Imaging Core).
  • The behaviour is as follows:
    • Nothing is automatic - for both CAST Imaging Console and “legacy” CAST deployments, the Security Analyzer extension must be manually downloaded and installed in order to use it.
    • If the extension is installed, CAST Imaging Console will automatically detect that it exists and will use the extension rather than the analyzer embedded in CAST Imaging Core.
    • Once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.

In what situation should you install this extension?

You should install this extension when you want to detect improper user input validation, API calls (REST, JMS, etc.), second order injections, hard-coded elements, correct values for encryption APIs, and more in your application source code, which can lead to the following security vulnerabilities:

  • SQL Injection (CWE-89)
  • Cross-Site Scripting (CWE-79)
  • LDAP Injection (CWE-90)
  • OS Command Injection (CWE-78)
  • XPath Injection (CWE-91)
  • Path Manipulation (CWE-99)
  • Avoid Log forging vulnerabilities (CWE-117)
  • Avoid uncontrolled format string (CWE-134)
  • Trust Boundary Violation (CWE-501)
  • Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute (CWE-614)
  • Use of hard-coded credential (java, C#, VB.Net languages) (CWE-798)

In addition, the extension provides additional rules, and it computes (for JEE and .NET only) a large set of security rules, requiring dataflow technology. Detailed information about how the Security Analyzer functions can be found in Application - Security Dataflowexternal link.

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Measurement Supported
Function Points (transactions)
Quality and Sizing ✔️

Compatibility

CAST Imaging Core Supported
≥ 8.3.44 ✔️

Supported technologies

Technology Supported
JEE ✔️
.NET ✔️

Prerequisites

User Input Security analyses require a significant of free RAM memory on the target node - see CAST AIP for Dashboards - Hardware requirementsexternal link.

Download and install the extension

The Security Analyzer extension must be downloaded manually using the Available Extensions interface in CAST Imaging Console.

Rules provided by the extension

Release Link
1.1.0-beta1 https://technologies.castsoftware.com/rules?sec=srs_securityanalyzer&ref=||1.1.0-beta1external link

Other rules calculated by the Security Analyzer are provided in CAST Imaging Core.