This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.
Summary: Documentation for the OWASP Index extension.
This extension has been superseded by the Security Standards extension, which uses the same ID: com.castsoftware.owasp-index. This documentation is no longer maintained.

Extension ID

com.castsoftware.owasp-index

Description

This extension will compute OWASP-2021OWASP-2017 and OWASP-2013 "top ten" application security risks as technical criteria grades. All CAST rules that are tagged with an OWASP related tag will contribute to the various OWASP technical criteria provided by the extension, thereby allowing specific grades and rule violations to be reported.

Compatibility

ProductReleaseSupported
AIP Core≥ 8.3.24(tick)

CAST Engineering Dashboard

≥ 1.5(tick)
CAST Health Dashboard≥ 1.17(tick)
CAST Security Dashboard≥ 1.20(tick)

OWASP version

2021(tick)
2017(tick)
2013(tick)

Download and installation instructions

Configuration requirements

Generate a snapshot

A new snapshot must be generated (after the extension is installed) before results can be viewed. If you do not immediately see changes in the dashboard, please consider restarting Apache Tomcat and/or emptying your browser cache.

Engineering Dashboard

Tiles

Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.18 of the Engineering Dashboard. See Engineering Dashboard tile management for more information.

Clicking on the tile navigates to Risk investigation view and the specified Industry Standard will be selected in the Health Factor table. 

Set filterHealthFactor option to false (only required in Engineering Dashboard ≤ 1.17)

Click here to expand...

Before results can be viewed, you must ensure that the "filterHealthFactor": option is set to false. To do so, locate the following file:

CATALINA_HOME\webapps\CAST-Engineering\engineering\resources\ced.json
For v.≥ 1.18: CATALINA_HOME\webapps\CAST-Engineering\engineering\resources\ed.json

Find the following line (near the start of the file):

"filterHealthFactor": true,

If the option is set to true (default position) please change it false. If it is false already, there is nothing further to do:

"filterHealthFactor": false,

Following any changes you make, save the ced.json/ed.json file and then restart your application server so that the changes are taken into account.

You can find out more about the options available in the ced.json/ed.json file in Engineering Dashboard json configuration options.

Health Dashboard

Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Grade, Compliance, and Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.17 of the Health Dashboard. See Health Dashboard tile management for more information. Clicking on any of these tiles will display a list of the rules that have been tagged with the specified standard as provided by the extension. Compliance percentage is also displayed in a "bubble".

Example for cmp.json

Configuration to create a "gauge" tile at portfolio level (multi-app level) to show an OWASP-2017 A1-2017 tile:

{
  "id": 1234,
  "plugin": "IndustryStandards",
  "color": "black",
  "parameters": {
	"type": "OWASP-2017",
    "title": "OWASP-2017 A1-2017",
    "widget": "gauge",
    "industryStandard": {
		"id": "1062321",
		"indexID": "1062320",
		"mode": "grade",
		"format": "0.00",
		"description": "OWASP-2017 A1-2017, in grade format"
    }
  }
}

Example for app.json

Configuration to create a "number of violations" tile at application level (single app level) to show an OWASP-2017 A1-2017 tile:

{
  "id": 1236,
  "plugin": "IndustryStandard",
  "color": "orange",
  "parameters": {
	"type": "OWASP-2017",    
	"title": "OWASP-2017 A1-2017",
    "industryStandard": {
		"id": "1062321",
		"indexID": "1062320",
		"mode": "violations",
		"format": "0,000",
		"description": "OWASP-2017 A1-2017, in number of violations format" 
    }
  }
}

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the dashboards:

Assessment Model

Various Business and Technical Criteria will be added by the extension:

OWASP 2021

IDNameType
1062340OWASP-2021Business Criterion
1062341A01-2021Technical Criterion
1062342A02-2021Technical Criterion
1062343A03-2021Technical Criterion
1062344A04-2021Technical Criterion
1062345A05-2021Technical Criterion
1062346A06-2021Technical Criterion
1062347A07-2021Technical Criterion
1062348A08-2021Technical Criterion
1062349A09-2021Technical Criterion
1062350A10-2021Technical Criterion

OWASP 2017

IDNameType
1062320OWASP-2017Business Criterion
1062321A1-2017Technical Criterion
1062322A2-2017Technical Criterion
1062323A3-2017Technical Criterion
1062324A4-2017Technical Criterion
1062325A5-2017Technical Criterion
1062326A6-2017Technical Criterion
1062327A7-2017Technical Criterion
1062328A8-2017Technical Criterion
1062329A9-2017Technical Criterion

OWASP 2013

IDNameType
1062300OWASP-2013Business Criterion
1062301A1-2013Technical Criterion
1062302A2-2013Technical Criterion
1062303A3-2013Technical Criterion
1062304A4-2013Technical Criterion
1062305A5-2013Technical Criterion
1062306A6-2013Technical Criterion
1062307A7-2013Technical Criterion
1062308A8-2013Technical Criterion
1062309A9-2013Technical Criterion
1062310A10-2013Technical Criterion

Click to enlarge

Engineering Dashboard

≥ 1.18.0

In ≥ 1.18.0 out of the box, results are displayed in a specific interface - click the relevant OWASP Assessment Model option to view the results:

Click to enlarge

≤ 1.17.0

Click here to expand...

In ≤ 1.17.0, out of the box a set of OWASP standards as Business Criteria will be displayed (provided the filterHealthFactor option is set to false in the ed.json file):

Click to enlarge

Each OWASP standard as a Business Criterion will have a set of child OWASP standards as Technical Criteria:

Click to enlarge

Health Dashboard

Out of the box, no results are provided. Tiles can be configured manually as described above.

Security Dashboard

Out of the box, results are displayed in a specific interface - click either the OWASP-2013 or OWASP-2017 Assessment Model options (after clicking the Risk Investigation tile in the Application home page) to view the results:

RestAPI

The RestAPI can be used to query both the Dashboard (AED) and Measurement (AAD) schemas for results, for example: