CAST Imaging reads the source code and data scripts across the layers and technologies comprising a software application, and automatically derives knowledge about its inner workings.
This document answers common questions about the mechanisms built into CAST Imaging and the standards followed during its development process for addressing the safety and security of the source code and data scripts being read, and the derived knowledge being provided by CAST Imaging.
CAST Imaging is typically deployed at your premises or at your system integrator’s premises. The safety and security of those environments are within your (SI) control and out of scope here.
What application data or other data does CAST Imaging store? How secure is that data?
No application data nor run-time data are stored in CAST Imaging. CAST Imaging ingests the source code and the data scripts comprising an application from your source code repository.
INPUT: CAST Imaging does store all input artifacts – source code and data scripts, into an internal repository using PostgreSQL, which allows for their encryption with pgcrypto, AES-256, if desired.
OUTPUT: CAST Imaging stores the sub-directory structure and file names of the input artifacts, the names of all source elements (functions, procedures, objects, methods, variables, tables, fields, etc), and the knowledge derived from analyzing their relationships. The output is not encrypted.
Access to both INPUT and OUTPUT data is gated by access control built into CAST Imaging. When SAML is used, access to CAST Imaging, including the add-on Dashboards, relies on your (SI’s) security policy for authentication, including the use of two-factor authentication (2FA).
Is the source code safe?
Yes, a copy of the source code is stored internally in CAST Imaging using PostgreSQL and with the encryption mechanism provided by PostgreSQL (pgcrypto, AES-256). The process is described at here.
Is data encrypted in transit? Is there a risk of data leak over the internet?
For exchanges between CAST Imaging modules, ssl connections are used to secure the data exchanged. When communicating remotely with CAST Technical Support, if the source code is needed, CAST provides a tool to anonymize the source code before sending it over the internet.
Does CAST Imaging support 2FA (two factor authentication)?
CAST Imaging supports 2FA through SAML. When SAML is used, access to CAST Imaging, including the add-on Dashboards relies on your (SI’s) security policy for authentication, including the use of 2FA.
What are the security standards that you apply to CAST Imaging and its add-ons?
All CAST Imaging source code is checked daily, using our commercially available static analyzers, for compliance with CWE Top 25 and OWASP 2017/2021.
Does CAST perform any WAPT (“pentest”)? What is the frequency? What is the process followed?
AGIO (https://agio.com/) performs annual penetration tests for CAST Imaging. AGIO issues a report to CAST. If needed, CAST addresses any issues that may have been found and AGIO tests again. AGIO then delivers a report rating the maintenance and security level of CAST Imaging.
The latest AGIO report (Nov. 2021) states: "Overall, Agio rates this environment as strong, secure, and well maintained; all components are up to date, and there are no security concerns at this time following the successful remediations."
What is the GDPR Compliance policy from CAST?
CAST complies with GDPR. CAST Imaging doesn't store any personally identifiable information (PII).
Is there a process to ensure that media are erased securely at disposal?
CAST Imaging's uninstall procedure does not integrate an erase of internal databases used for storing object names, path, metrics, and source code. That must be done with the PostgreSQL uninstaller. For the Graph database (Neo4J) used for visualizing the derived knowledge stored in CAST Imaging, there is an option to erase it automatically when uninstalling it. There is no erase process for directories used by the analysis process.
Does CAST conduct vulnerability scanning? What is the frequency?
Vulnerability scanning is an integral part of the CAST Imaging CI/CD process, and it is performed daily on the source code.
Does CAST implement secure coding best practices during the product development life cycle?
Yes, all CAST Imaging source code is checked daily, using our commercially available static analyzers, for compliance with CWE Top 25 and OWASP 2017/2021.
Does CAST have an information security policy and awareness training?
Yes, we do have such policy. We conduct information security awareness training annually.
Do CAST and CAST’s hosting providers have third party security certifications?
Yes, we do have such certifications against ISO 27001, ISO 27017, ISO 27018, and ISO 27701.