Security Standards
Extension ID
com.castsoftware.owasp-index
Description
This extension will compute:
- OWASP-2021 , OWASP-2017 , OWASP-2013 top 10 application security risks as technical criteria grades,
- CWE-2023 , CWE-2022 , CWE-2021 , CWE-2020 , CWE-2019 , CWE-2011 top 25 application security risks as technical criteria grades,
- PCI-DSS-V4.0, PCI-DSS-V3.2.1, PCI-DSS-V3.1 security risks as technical criteria grades
All CAST rules that are tagged with a related tag will contribute to the various technical criteria provided by the extension, thereby allowing specific grades and rule violations to be reported.
Compatibility
| Product | Release | Supported |
|---|---|---|
| CAST Imaging Core | ≥ 8.3.24 | ✅ |
| CAST Engineering Dashboard | ≥ 1.5 | ✅ |
| CAST Health Dashboard | ≥ 1.17 | ✅ |
| CAST Security Dashboard | ≥ 1.20 | ✅ |
Supported indexes/standards
- OWASP 2021
- OWASP 2017
- OWASP 2013
- CWE 2023
- CWE 2022
- CWE 2021
- CWE 2020
- CWE 2019
- CWE 2011
- PCI DSS 4.0
- PCI DSS 3.2.1
- PCI DSS 3.1
Download and installation instructions
The extension will not be automatically downloaded and installed. If you need to use it, should manually install the extension.
Configuration requirements
Generate a snapshot
A new snapshot must be generated (after the extension is installed) before results can be viewed. If you do not immediately see changes in the dashboard, please consider restarting the dashboard service and/or emptying your browser cache.
Engineering Dashboard
Tiles
Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.18 of the Engineering Dashboard. See Engineering Dashboard tile management for more information.
Clicking on the tile navigates to Risk investigation view and the specified Industry Standard will be selected in the Health Factor table.
Health Dashboard
Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Grade, Compliance, and Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.17 of the Health Dashboard. See Health Dashboard tile management for more information. Clicking on any of these tiles will display a list of the rules that have been tagged with the specified standard as provided by the extension. Compliance percentage is also displayed in a “bubble”.
Example for cmp.json
Configuration to create a “gauge” tile at portfolio level (multi-app level) to show an OWASP-2017 A1-2017 tile:
{
"id": 1234,
"plugin": "IndustryStandards",
"color": "black",
"parameters": {
"type": "OWASP-2017",
"title": "OWASP-2017 A1-2017",
"widget": "gauge",
"industryStandard": {
"id": "1062321",
"indexID": "1062320",
"mode": "grade",
"format": "0.00",
"description": "OWASP-2017 A1-2017, in grade format"
}
}
}
Example for app.json
Configuration to create a “number of violations” tile at application level (single app level) to show an OWASP-2017 A1-2017 tile:
{
"id": 1236,
"plugin": "IndustryStandard",
"color": "orange",
"parameters": {
"type": "OWASP-2017",
"title": "OWASP-2017 A1-2017",
"industryStandard": {
"id": "1062321",
"indexID": "1062320",
"mode": "violations",
"format": "0,000",
"description": "OWASP-2017 A1-2017, in number of violations format"
}
}
}
What results can you expect?
Once the analysis/snapshot generation has completed, you can view the results in the dashboards:
Assessment Model
Various Business and Technical Criteria will be added by the extension:
OWASP 2021
| ID | Name | Type |
|---|---|---|
| 1062340 | OWASP-2021 | Business Criterion |
| 1062341 | A01-2021 | Technical Criterion |
| 1062342 | A02-2021 | Technical Criterion |
| 1062343 | A03-2021 | Technical Criterion |
| 1062344 | A04-2021 | Technical Criterion |
| 1062345 | A05-2021 | Technical Criterion |
| 1062346 | A06-2021 | Technical Criterion |
| 1062347 | A07-2021 | Technical Criterion |
| 1062348 | A08-2021 | Technical Criterion |
| 1062349 | A09-2021 | Technical Criterion |
| 1062350 | A10-2021 | Technical Criterion |
OWASP 2017
| ID | Name | Type |
|---|---|---|
| 1062320 | OWASP-2017 | Business Criterion |
| 1062321 | A1-2017 | Technical Criterion |
| 1062322 | A2-2017 | Technical Criterion |
| 1062323 | A3-2017 | Technical Criterion |
| 1062324 | A4-2017 | Technical Criterion |
| 1062325 | A5-2017 | Technical Criterion |
| 1062326 | A6-2017 | Technical Criterion |
| 1062327 | A7-2017 | Technical Criterion |
| 1062328 | A8-2017 | Technical Criterion |
| 1062329 | A9-2017 | Technical Criterion |
OWASP 2013
| ID | Name | Type |
|---|---|---|
| 1062300 | OWASP-2013 | Business Criterion |
| 1062301 | A1-2013 | Technical Criterion |
| 1062302 | A2-2013 | Technical Criterion |
| 1062303 | A3-2013 | Technical Criterion |
| 1062304 | A4-2013 | Technical Criterion |
| 1062305 | A5-2013 | Technical Criterion |
| 1062306 | A6-2013 | Technical Criterion |
| 1062307 | A7-2013 | Technical Criterion |
| 1062308 | A8-2013 | Technical Criterion |
| 1062309 | A9-2013 | Technical Criterion |
| 1062310 | A10-2013 | Technical Criterion |
CWE
| ID | Name | Type |
|---|---|---|
| 1066000 | CWE-2011 | Business Criterion |
| 1066001 | CWE-2019 | Business Criterion |
| 1066002 | CWE-2020 | Business Criterion |
| 1066003 | CWE-2021 | Business Criterion |
| 1066004 | CWE-2022 | Business Criterion |
| 1066005 | CWE-2023 | Business Criterion |
| 1066120 | CWE-20 - Improper Input Validation | Technical Criterion |
| 1066122 | CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | Technical Criterion |
| 1066177 | CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | Technical Criterion |
| 1066178 | CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | Technical Criterion |
| 1066179 | CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Technical Criterion |
| 1066189 | CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Technical Criterion |
| 1066194 | CWE-94 - Improper Control of Generation of Code (‘Code Injection’) | Technical Criterion |
| 1066219 | CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer | Technical Criterion |
| 1066220 | CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | Technical Criterion |
| 1066225 | CWE-125 - Out-of-bounds Read | Technical Criterion |
| 1066234 | CWE-134 - Use of Externally-Controlled Format String | Technical Criterion |
| 1066290 | CWE-190 - Integer Overflow or Wraparound | Technical Criterion |
| 1066300 | CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor | Technical Criterion |
| 1066350 | CWE-250 - Execution with Unnecessary Privileges | Technical Criterion |
| 1066369 | CWE-269 - Improper Privilege Management | Technical Criterion |
| 1066376 | CWE-276 - Incorrect Default Permissions | Technical Criterion |
| 1066387 | CWE-287 - Improper Authentication | Technical Criterion |
| 1066395 | CWE-295 - Improper Certificate Validation | Technical Criterion |
| 1066406 | CWE-306 - Missing Authentication for Critical Function | Technical Criterion |
| 1066407 | CWE-307 - Improper Restriction of Excessive Authentication Attempts | Technical Criterion |
| 1066411 | CWE-311 - Missing Encryption of Sensitive Data | Technical Criterion |
| 1066427 | CWE-327 - Use of a Broken or Risky Cryptographic Algorithm | Technical Criterion |
| 1066452 | CWE-352 - Cross-Site Request Forgery (CSRF) | Technical Criterion |
| 1066462 | CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | Technical Criterion |
| 1066500 | CWE-400 - Uncontrolled Resource Consumption | Technical Criterion |
| 1066516 | CWE-416 - Use After Free | Technical Criterion |
| 1066526 | CWE-426 - Untrusted Search Path | Technical Criterion |
| 1066534 | CWE-434 - Unrestricted Upload of File with Dangerous Type | Technical Criterion |
| 1066576 | CWE-476 - NULL Pointer Dereference | Technical Criterion |
| 1066594 | CWE-494 - Download of Code Without Integrity Check | Technical Criterion |
| 1066602 | CWE-502 - Deserialization of Untrusted Data | Technical Criterion |
| 1066622 | CWE-522 - Insufficiently Protected Credentials | Technical Criterion |
| 1066701 | CWE-601 - URL Redirection to Untrusted Site (‘Open Redirect’) | Technical Criterion |
| 1066711 | CWE-611 - Improper Restriction of XML External Entity Reference | Technical Criterion |
| 1066776 | CWE-676 - Use of Potentially Dangerous Function | Technical Criterion |
| 1066832 | CWE-732 - Incorrect Permission Assignment for Critical Resource | Technical Criterion |
| 1066859 | CWE-759 - Use of a One-Way Hash without a Salt | Technical Criterion |
| 1066872 | CWE-772 - Missing Release of Resource after Effective Lifetime | Technical Criterion |
| 1066887 | CWE-787 - Out-of-bounds Write | Technical Criterion |
| 1066898 | CWE-798 - Use of Hard-coded Credentials | Technical Criterion |
| 1066907 | CWE-807 - Reliance on Untrusted Inputs in a Security Decision | Technical Criterion |
| 1066929 | CWE-829 - Inclusion of Functionality from Untrusted Control Sphere | Technical Criterion |
| 1066962 | CWE-862 - Missing Authorization | Technical Criterion |
| 1066963 | CWE-863 - Incorrect Authorization | Technical Criterion |
| 1067018 | CWE-918 - Server-Side Request Forgery (SSRF) | Technical Criterion |
PCI DSS
| ID | Name | Type |
|---|---|---|
| 1063000 | PCI-DSS-V3.1 | Business Criterion |
| 1063001 | PCI-DSS-V3.2.1 | Business Criterion |
| 1063002 | PCI-DSS-V4 | Business Criterion |
| 1063101 | PCI-Requirement-1.3.8 - Do not disclose private IP addresses and routing information to unauthorized parties | Technical Criterion |
| 1063103 | PCI-Requirement-2.2.4 - Configure system security parameters to prevent misuse | Technical Criterion |
| 1063108 | PCI-Requirement-3.6.1 - Generation of strong cryptographic keys | Technical Criterion |
| 1063109 | PCI-Requirement-4.1 - Use strong cryptography and security protocols | Technical Criterion |
| 1063112 | PCI-Requirement-6.2 - Ensure all Systems and Software are Protected from Known Vulnerabilities | Technical Criterion |
| 1063113 | PCI-Requirement-6.3.1 - Remove Development and Test Accounts, User IDs, and Passwords Before Release | Technical Criterion |
| 1063114 | PCI-Requirement-6.5.1 - Injection flaws, particularly SQL injection | Technical Criterion |
| 1063115 | PCI-Requirement-6.5.10 - Broken authentication and session management | Technical Criterion |
| 1063116 | PCI-Requirement-6.5.2 - Buffer overflows | Technical Criterion |
| 1063117 | PCI-Requirement-6.5.3 - Insecure cryptographic storage | Technical Criterion |
| 1063118 | PCI-Requirement-6.5.4 - Insecure communications | Technical Criterion |
| 1063119 | PCI-Requirement-6.5.5 - Improper error handling | Technical Criterion |
| 1063120 | PCI-Requirement-6.5.6 - All high risk vulnerabilities | Technical Criterion |
| 1063121 | PCI-Requirement-6.5.7 - Cross-site scripting (XSS) | Technical Criterion |
| 1063122 | PCI-Requirement-6.5.8 - Improper access control | Technical Criterion |
| 1063123 | PCI-Requirement-6.5.9 - Cross-site request forgery (CSRF) | Technical Criterion |
| 1063126 | PCI-Requirement-8.2.1 - Using strong cryptography | Technical Criterion |
| 1063150 | PCI-DSS4-Requirement-1.4.5 - The disclosure of internal IP addresses and routing information is limited to only authorized parties | Technical Criterion |
| 1063151 | PCI-DSS4-Requirement-2.2.2 - Vendor default accounts are managed | Technical Criterion |
| 1063152 | PCI-DSS4-Requirement-2.2.6 - System security parameters are configured to prevent misuse | Technical Criterion |
| 1063153 | PCI-DSS4-Requirement-3.6.1 - Procedures are defined and implemented to protect cryptographic keys | Technical Criterion |
| 1063154 | PCI-DSS4-Requirement-4.2.1 - Strong cryptography and security protocols are implemented | Technical Criterion |
| 1063155 | PCI-DSS4-Requirement-6.2.4 - Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities | Technical Criterion |
| 1063156 | PCI-DSS4-Requirement-6.3.2 - An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management. | Technical Criterion |
| 1063157 | PCI-DSS4-Requirement-8.3.2 - Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. | Technical Criterion |
Engineering Dashboard
Out of the box, results are displayed in a specific interface - click the relevant Assessment Model option to view the results:
For example, for OWASP 2013 and 2017:
Health Dashboard
Out of the box, no results are provided. Tiles can be configured manually as described above.
Security Dashboard
Out of the box, OWASP results are displayed in a specific interface - click either the OWASP-2013 or OWASP-2017 Assessment Model options (after clicking the Risk Investigation tile in the Application home page) to view the results:
RestAPI
The RestAPI can be used to query both the Dashboard (AED) and Measurement (AAD) schemas for results, for example for OWASP results:
