Security Analyzer - 1.1
Technical information
- com.castsoftware.securityanalyzer is compatible with Core ≥ 8.3.44 and ≥ 8.4.0.
- Once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.
In what situation should you install this extension?
This extension is used as part of the “User Input/Security Dataflow” feature available in CAST. It detects improper user input validation API calls (REST, JMS, etc.), second order injections, hard-coded elements, correct values for encryption APIs, and more in your application source code, which can lead to the following security vulnerabilities:
- SQL Injection (CWE-89)
- Cross-Site Scripting (CWE-79)
- LDAP Injection (CWE-90)
- OS Command Injection (CWE-78)
- XPath Injection (CWE-91)
- Path Manipulation (CWE-99)
- Avoid Log forging vulnerabilities (CWE-117)
- Avoid uncontrolled format string (CWE-134)
- Trust Boundary Violation (CWE-501)
- Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute (CWE-614)
- Use of hard-coded credential (java, C#, VB.Net languages) (CWE-798)
In addition, the extension provides additional rules, and it computes (for JEE and .NET only) a large set of security rules, requiring dataflow technology. Detailed information about how com.castsoftware.securityanalyzer functions can be found in:
Function Point, Quality and Sizing support
- Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
- Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
| Function Points (transactions) | Quality and Sizing |
|---|---|
| ❌ | ✅ |
Supported technologies
| Technology | Supported |
|---|---|
| JEE | ✅ |
| .NET | ✅ |
Prerequisites
User Input Security analyses require a minimum of 32GB RAM on the target node.
Download and install the extension
- V1/V2: the extension must be downloaded manually if it is required.
- V3: the extension will be automatically installed when the Security Dataflow feature is enabled as described in Security Dataflow.
Quality rules
- 1.1.7-funcrel
- 1.1.6-funcrel
- 1.1.5-funcrel
- 1.1.4-funcrel
- 1.1.3-funcrel
- 1.1.2-funcrel
- 1.1.1-funcrel
- 1.1.0-funcrel
- 1.1.0-beta1
Other rules calculated by the Security Analyzer are provided in Core.