Security Standards

Extension ID

com.castsoftware.owasp-index

Description

This extension will compute:

All CAST rules that are tagged with a related tag will contribute to the various technical criteria provided by the extension, thereby allowing specific grades and rule violations to be reported.

Compatibility

Product Release Supported
CAST Imaging Core ≥ 8.3.24 ✔️
CAST Engineering Dashboard ≥ 1.5 ✔️
CAST Health Dashboard ≥ 1.17 ✔️
CAST Security Dashboard ≥ 1.20 ✔️

Supported indexes/standards

  • OWASP 2021
  • OWASP 2017
  • OWASP 2013
  • CWE 2022
  • CWE 2021
  • CWE 2020
  • CWE 2019
  • CWE 2011
  • PCI DSS 3.2.1
  • PCI DSS 3.1

Download and installation instructions

The extension will not be automatically downloaded and installed in CAST Console. If you need to use it, should manually install the extension.

Configuration requirements

Generate a snapshot

A new snapshot must be generated (after the extension is installed) before results can be viewed. If you do not immediately see changes in the dashboard, please consider restarting the dashboard service and/or emptying your browser cache.

Engineering Dashboard

Tiles

Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.18 of the Engineering Dashboard. See Engineering Dashboard tile management for more information.

Clicking on the tile navigates to Risk investigation view and the specified Industry Standard will be selected in the Health Factor table. 

Health Dashboard

Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Grade, Compliance, and Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.17 of the Health Dashboard. See Health Dashboard tile management for more information. Clicking on any of these tiles will display a list of the rules that have been tagged with the specified standard as provided by the extension. Compliance percentage is also displayed in a “bubble”.

Example for cmp.json

Configuration to create a “gauge” tile at portfolio level (multi-app level) to show an OWASP-2017 A1-2017 tile:

{
  "id": 1234,
  "plugin": "IndustryStandards",
  "color": "black",
  "parameters": {
    "type": "OWASP-2017",
    "title": "OWASP-2017 A1-2017",
    "widget": "gauge",
    "industryStandard": {
        "id": "1062321",
        "indexID": "1062320",
        "mode": "grade",
        "format": "0.00",
        "description": "OWASP-2017 A1-2017, in grade format"
    }
  }
}

Example for app.json

Configuration to create a “number of violations” tile at application level (single app level) to show an OWASP-2017 A1-2017 tile:

{
  "id": 1236,
  "plugin": "IndustryStandard",
  "color": "orange",
  "parameters": {
    "type": "OWASP-2017",    
    "title": "OWASP-2017 A1-2017",
    "industryStandard": {
        "id": "1062321",
        "indexID": "1062320",
        "mode": "violations",
        "format": "0,000",
        "description": "OWASP-2017 A1-2017, in number of violations format" 
    }
  }
}

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the dashboards:

Assessment Model

Various Business and Technical Criteria will be added by the extension:

OWASP 2021

ID Name Type
1062340 OWASP-2021 Business Criterion
1062341 A01-2021 Technical Criterion
1062342 A02-2021 Technical Criterion
1062343 A03-2021 Technical Criterion
1062344 A04-2021 Technical Criterion
1062345 A05-2021 Technical Criterion
1062346 A06-2021 Technical Criterion
1062347 A07-2021 Technical Criterion
1062348 A08-2021 Technical Criterion
1062349 A09-2021 Technical Criterion
1062350 A10-2021 Technical Criterion

OWASP 2017

ID Name Type
1062320 OWASP-2017 Business Criterion
1062321 A1-2017 Technical Criterion
1062322 A2-2017 Technical Criterion
1062323 A3-2017 Technical Criterion
1062324 A4-2017 Technical Criterion
1062325 A5-2017 Technical Criterion
1062326 A6-2017 Technical Criterion
1062327 A7-2017 Technical Criterion
1062328 A8-2017 Technical Criterion
1062329 A9-2017 Technical Criterion

OWASP 2013

ID Name Type
1062300 OWASP-2013 Business Criterion
1062301 A1-2013 Technical Criterion
1062302 A2-2013 Technical Criterion
1062303 A3-2013 Technical Criterion
1062304 A4-2013 Technical Criterion
1062305 A5-2013 Technical Criterion
1062306 A6-2013 Technical Criterion
1062307 A7-2013 Technical Criterion
1062308 A8-2013 Technical Criterion
1062309 A9-2013 Technical Criterion
1062310 A10-2013 Technical Criterion

CWE

ID Name Type
1066000 CWE-2011 Business Criterion
1066001 CWE-2019 Business Criterion
1066002 CWE-2020 Business Criterion
1066003 CWE-2021 Business Criterion
1066004 CWE-2022 Business Criterion
1066122 CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) technical-criterion
1066178 CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) technical-criterion
1066179 CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) technical-criterion
1066189 CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) technical-criterion
1066220 CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) technical-criterion
1066231 CWE-131 - Incorrect Calculation of Buffer Size technical-criterion
1066234 CWE-134 - Use of Externally-Controlled Format String technical-criterion
1066290 CWE-190 - Integer Overflow or Wraparound technical-criterion
1066350 CWE-250 - Execution with Unnecessary Privileges technical-criterion
1066406 CWE-306 - Missing Authentication for Critical Function technical-criterion
1066407 CWE-307 - Improper Restriction of Excessive Authentication Attempts technical-criterion
1066411 CWE-311 - Missing Encryption of Sensitive Data technical-criterion
1066427 CWE-327 - Use of a Broken or Risky Cryptographic Algorithm technical-criterion
1066452 CWE-352 - Cross-Site Request Forgery (CSRF) technical-criterion
1066534 CWE-434 - Unrestricted Upload of File with Dangerous Type technical-criterion
1066594 CWE-494 - Download of Code Without Integrity Check technical-criterion
1066701 CWE-601 - URL Redirection to Untrusted Site (‘Open Redirect’) technical-criterion
1066776 CWE-676 - Use of Potentially Dangerous Function technical-criterion
1066832 CWE-732 - Incorrect Permission Assignment for Critical Resource technical-criterion
1066859 CWE-759 - Use of a One-Way Hash without a Salt technical-criterion
1066898 CWE-798 - Use of Hard-coded Credentials technical-criterion
1066907 CWE-807 - Reliance on Untrusted Inputs in a Security Decision technical-criterion
1066929 CWE-829 - Inclusion of Functionality from Untrusted Control Sphere technical-criterion
1066962 CWE-862 - Missing Authorization technical-criterion
1066963 CWE-863 - Incorrect Authorization technical-criterion
1066120 CWE-20 - Improper Input Validation technical-criterion
1066194 CWE-94 - Improper Control of Generation of Code (‘Code Injection’) technical-criterion
1066219 CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer technical-criterion
1066225 CWE-125 - Out-of-bounds Read technical-criterion
1066300 CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor technical-criterion
1066369 CWE-269 - Improper Privilege Management technical-criterion
1066387 CWE-287 - Improper Authentication technical-criterion
1066395 CWE-295 - Improper Certificate Validation technical-criterion
1066500 CWE-400 - Uncontrolled Resource Consumption technical-criterion
1066516 CWE-416 - Use After Free technical-criterion
1066526 CWE-426 - Untrusted Search Path technical-criterion
1066576 CWE-476 - NULL Pointer Dereference technical-criterion
1066602 CWE-502 - Deserialization of Untrusted Data technical-criterion
1066711 CWE-611 - Improper Restriction of XML External Entity Reference technical-criterion
1066872 CWE-772 - Missing Release of Resource after Effective Lifetime technical-criterion
1066887 CWE-787 - Out-of-bounds Write technical-criterion
1066622 CWE-522 - Insufficiently Protected Credentials technical-criterion
1066177 CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’) technical-criterion
1066376 CWE-276 - Incorrect Default Permissions technical-criterion
1067018 CWE-918 - Server-Side Request Forgery (SSRF) technical-criterion
1066462 CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) technical-criterion

PCI DSS

ID Name Type
1063000 PCI-DSS-V3.1 Business Criterion
1063001 PCI-DSS-V3.2.1 Business Criterion
1063101 PCI-Requirement-1.3.8 - Do not disclose private IP addresses and routing information to unauthorized parties. technical-criterion
1063103 PCI-Requirement-2.2.4 - Configure system security parameters to prevent misuse. technical-criterion
1063108 PCI-Requirement-3.6.1 - Generation of strong cryptographic keys technical-criterion
1063109 PCI-Requirement-4.1 - Use strong cryptography and security protocols technical-criterion
1063112 PCI-Requirement-6.2 - Ensure all Systems and Software are Protected from Known Vulnerabilities technical-criterion
1063113 PCI-Requirement-6.3.1 - Remove Development and Test Accounts, User IDs, and Passwords Before Release technical-criterion
1063114 PCI-Requirement-6.5.1 - Injection flaws, particularly SQL injection technical-criterion
1063115 PCI-Requirement-6.5.10 - Broken authentication and session management technical-criterion
1063116 PCI-Requirement-6.5.2 - Buffer overflows technical-criterion
1063117 PCI-Requirement-6.5.3 - Insecure cryptographic storage technical-criterion
1063118 PCI-Requirement-6.5.4 - Insecure communications technical-criterion
1063119 PCI-Requirement-6.5.5 - Improper error handling technical-criterion
1063120 PCI-Requirement-6.5.6 - All high risk vulnerabilities technical-criterion
1063121 PCI-Requirement-6.5.7 - Cross-site scripting (XSS) technical-criterion
1063122 PCI-Requirement-6.5.8 - Improper access control technical-criterion
1063123 PCI-Requirement-6.5.9 - Cross-site request forgery (CSRF) technical-criterion
1063126 PCI-Requirement-8.2.1 - Using strong cryptography technical-criterion

Engineering Dashboard

Out of the box, results are displayed in a specific interface - click the relevant Assessment Model option to view the results:

For example, for OWASP 2013 and 2017:

Health Dashboard

Out of the box, no results are provided. Tiles can be configured manually as described above.

Security Dashboard

Out of the box, OWASP results are displayed in a specific interface - click either the OWASP-2013 or OWASP-2017 Assessment Model options (after clicking the Risk Investigation tile in the Application home page) to view the results:

RestAPI

The RestAPI can be used to query both the Dashboard (AED) and Measurement (AAD) schemas for results, for example for OWASP results: