Supported Security Standards

Introduction
CAST AIP coverage for OWASP Top 10 - 2013
CAST AIP coverage for CWE Top 25
CAST AIP coverage for additional security vulnerabilities identified by OWASP and CWE
CAST AIP coverage for PCI DSS
CAST AIP OWASP Coverage – Detailed Description
CAST AIP coverage for CISQ/OMG

Introduction

CAST AIP provides support for a wide range of security rules that are established by leading industry research and standards on security vulnerabilities. These security rules are originated from established standards such as:

Open Web Application Security Project (OWASP) Top 10 - OWASP Top 10 provides a list of the 10 most critical web application security risks.
Common Weakness Enumeration (CWE) Top 25 – CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software.
Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS provides an actionable framework for developing a robust payment card data security process.
Consortium for IT Software Quality (CISQ) / OMG Automated Source Code Security Measure Standard - MITRE has participated to the CISQ initiative to specify an automated source code security measurement standard, derived from the CWE Top 25 by focusing on automatable measurements. Please also refer to MITRE own communication about their work with the CISQ:
- http://cwe.mitre.org/news/index.html#september172015_CWE_Mentioned_in_CISQ_Press_Release_Announcing_New_Specifications_for_Measuring_Structural_Quality_of_Software
- http://cwe.mitre.org/documents/advances_in_information_assuarance_standards.pdf

The following tables explain the CAST AIP coverage for these security standards:

CAST AIP coverage for OWASP Top 10 - 2013

For more details on each vulnerability, you can check the OWASP website.

OWASP Vulnerability	Description	CAST AIP Coverage
A1-Injection	Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.	Pre-built rule in CAST AIP – check CAST AIP OWASP Coverage – Detailed Description for list of rules and more details.
A2-Broken Authentication and Session Management	Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.	This is planned for a future release
A3-Cross-Site Scripting (XSS)	XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.	Pre-built rule in CAST AIP – check CAST AIP OWASP Coverage – Detailed Description for list of rules and more details.
A4-Insecure Direct Object References	A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.	As described in the OWASP document these vulnerabilities are impossible to check using source code analysis
A5-Security Misconfiguration	Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.	Application security policies should be reviewed by a domain expert at the application-architecture level to ensure best practices are followed. CAST supports the application/security architect by providing information about application structure, allowing the definition of custom rules using architecture checker, and the tracking and control of these rules in subsequent application development.
A6-Sensitive Data Exposure	Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.	Sensitive cryptography routines should be reviewed by a domain expert at the application-architecture level to ensure best practices are followed. CAST supports the application/security architect by providing information about application structure, allowing the definition of custom rules using architecture checker, and the tracking and control of these rules in subsequent application development.
A7-Missing Function Level Access Control	Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.	AIP is currently able to check that access control systems are in place for some presentation frameworks, such as Struts.
A8-Cross-Site Request Forgery (CSRF)	A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.	Pre-built rule in CAST AIP – check CAST AIP OWASP Coverage – Detailed Description for list of rules and more details.
A9-Using Components with Known Vulnerabilities	Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defences and enable a range of possible attacks and impacts.	A complete inventory of the third parties (libraries, frameworks and tools) used by a project should be in place. Versions should be kept up-to-date, and current versions should be monitored for security weaknesses announcements. These vulnerabilities are not possible to find using static analysis. CAST has integrations with vendors in the SCA space who track known vulnerabilities, to display them alongside CAST AIP findings.
A10-Unvalidated Redirects and Forwards	Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access	As described in the OWASP document these vulnerabilities are impossible to check using source code analysis

CAST AIP coverage for CWE Top 25

All the categories, rules, and related description are referenced from CWE/SANS and CWE/SANS Top 25 Most Dangerous Software Errors.

Insecure Interaction between Components

These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

Rank	CWE ID	Name	Recommendation/Mitigation/Comments	Coverage with CAST AIP
[1]	CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	Checking for SQL Injection by	Pre-built rule in AIP – 2663 - Avoid SQL injection vulnerabilities
[2]	CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	Checking for OS Command Injection	Pre-built rule in AIP – 2661 - Avoid OS command injection vulnerabilities
[4]	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	Checking for Cross-site scripting	Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[9]	CWE-434	Unrestricted Upload of File with Dangerous Type	Input Validation	In CAST AIP 8.0, wewill trigger this rulevia PATH Manipulation. It is not available in CAST AIP 7.3. Extend the following existing rules – 2437 - Avoid non-standard file extensions 2659 - Avoid file path manipulation vulnerabilities 2660 - Avoid XPath injection vulnerabilities
[12]	CWE-352	Cross-Site Request Forgery (CSRF)	Ensure that application is free of cross-site scripting issues (CWE-79), because most CSRF defences can be bypassed using attacker-controlled script.	Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[22]	CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	Checking for Cross-site scripting	Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities

Risky resource management

The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

Rank	CWE ID	Name	Recommendation/Mitigation/Comments	Coverage with CAST AIP
[3]	CWE-120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.	This rule is handled through a combination of existing quality rules around memory handling listed below – 2282 - Avoid using getopt() function, 2327 - Never use sprintf() function or vsprintf() function Never perform C cast between incompatible class pointers 2413 - Avoid using static_cast on class/struct pointers
[13]	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	Checking for file path manipulation	Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
[14]	CWE-494	Download of Code Without Integrity Check	Check Download Code Integrity	We manage this using Input Validation approach – 2437 - Avoid non-standard file extensions 2659 - Avoid file path manipulation vulnerabilities 2660 - Avoid XPath injection vulnerabilities
[16]	CWE-829	Inclusion of Functionality from Untrusted Control Sphere	When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numericIDs) to the actual filenames or URLs, and reject all other inputs.	This is handled by checking every internet library for vulnerability and maintaining a whitelist. Normally we can check the HTML code and parse the URL to verify the domain. Extend the existing rule 2660 - Avoid XPath injection vulnerabilities
[18]	CWE-676	Use of Potentially Dangerous Function	Checking for programming best practices	Pre-built rule in AIP – 2279 - Avoid using snprintf() function 2280 - Avoid using realpath() function 2325 - Avoid using the scanf() function
[20]	CWE-131	Incorrect Calculation of Buffer Size	Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.	This is handled through a combination of existing quality rules listed below: 2327 - Never use sprintf() function or vsprintf() function Never perform C cast between incompatible class pointers 2413 - Avoid using static_cast on class/struct pointers
[23]	CWE-134	Uncontrolled Format String	Checking for programming best practices	Checking for programming best practices Pre-built inCAST AIP rule. Extend the following existing rules – 8098 - Uncontrolled format string
[24]	CWE-190	Integer Overflow or Wraparound	Perform check on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.	These rules require using DF with Arithmetics. This will be handled by extending the existing rule, 2282 - Avoid using getopt() function

Porous Defences

The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

Rank	CWE ID	Name	Recommendation/Mitigation/Comments	Coverage with CAST AIP
[5]	CWE-306	Missing Authentication for Critical Function	avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment.	This requirement will be achieved using DF andUser input security and extending existing rules – 2284 - Avoid cross-site scripting vulnerabilities, 2662 - Avoid LDAP injection vulnerabilities
[6]	CWE-862	Missing Authorization	Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.	This requirement will be achieved using DF andUser input security and extending existing rules – 2284 - Avoid cross-site scripting vulnerabilities 2662 - Avoid LDAP injection vulnerabilities
[8]	CWE-311	Missing Encryption of Sensitive Data	Periodically ensure that you aren't using obsolete cryptography. Avoid using old encryption techniques using MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong.	Checking of encryptionis not handled. This requirement will be implemented by validating the algorithm and extending existing rules – 2284 - Avoid cross-site scripting vulnerabilities 2662 - Avoid LDAP injection vulnerabilities
[10]	CWE-807	Reliance on Untrusted Inputs in a Security Decision	Consider getcookies as unsafe	Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[11]	CWE-250	Execution with Unnecessary Privileges	Checking for privileges being appropriately implemented based on the scenario/use case. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability.	This is more linked to dynamic analysis and not handled byCAST AIP today.We will have to extend existing rules – 2284 - Avoid cross-site scripting vulnerabilities 2662 - Avoid LDAP injection vulnerabilities
[15]	CWE-863	Incorrect Authorization	Consider getcookies as unsafe	Pre-built rule in AIP – 2284 - Avoid cross-site scripting vulnerabilities
[17]	CWE-732	Incorrect Permission Assignment for Critical Resource	Path manipulation	Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
[19]	CWE-327	Use of a Broken or Risky Cryptographic Algorithm	Validating encryption algorithms	This will be addressed by creating a blacklist of functions considered risky or broken (Handle via maintaining blacklist of well known and crypto algorithms) and applying custom architectural rules to check for the use of appropriate functions.
[21]	CWE-307	Improper Restriction of Excessive Authentication Attempts	Check login implementation	This will be handled by extending the following existing rules – 521 - Avoid direct access to database Procedures/Functions 750 - User Interface elements must not use directly the database\|
[25]	CWE-759	Use of a One-Way Hash without a Salt	Checking for programming best practices. Best practice, always use initialises that contain salt for Hash. Instead of calling Hashlib with just one parameter use additional parameters for salt.	This will be addressed by blacklisting methods that does not contain the good initialization parameters. Extend the following existing rules – 2785 - Avoid using Hashtable 1035 - Avoid classes overriding only equals() or only hashCode()

CAST AIP coverage for additional security vulnerabilities identified by OWASP and CWE

CWE ID	Name	Recommendation/Mitigation/Comments	Coverage with CAST AIP
CWE-20	Improper Input Validation	Checking for best programming practices	Pre-built rule in AIP – 2663 - Avoid SQL injection vulnerabilities 2660 - Avoid XPath injection vulnerabilities 2284 - Avoid cross-site scripting vulnerabilities
CWE-116	Improper Encoding or Escaping of Output	Checking for best programming practices	Pre-built rule in AIP – 2663 - Avoid SQL injection vulnerabilities 2661- Avoid OS command injection vulnerabilities 2284 - Avoid cross-site scripting vulnerabilities
CWE-90	LDAP Injection	Checking for LDAP injection	Pre-built rule in AIP – 2662 - Avoid LDAP injection vulnerabilities
CWE-91	XPATH Injection	Checking for XPATH injection	Pre-built rule in AIP – 2660 - Avoid XPath injection vulnerabilities
CWE-73	External Control of File Name or Path	Checking for file path manipulation	Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
CWE-99	Improper Control of Resource Identifiers ('Resource Injection')	Checking for best programming practices	Pre-built rule in AIP – 2659 - Avoid file path manipulation vulnerabilities
CWE-117	Improper Output Neutralization for Logs	Checking for log forging	Pre-built rule in AIP – 2141 - Avoid Log forging vulnerabilities
CWE-252	The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.	Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment.	Supported from CAST AIP 8.0 onwards
CWE-681	When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values.	Avoid making conversion between numeric types. Always check for the allowed ranges.	Supported from CAST AIP 8.0 onwards

CAST AIP coverage for PCI DSS

PCI DSS Requirement	Coverage with CAST AIP
6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.	CAST AIP can be seamlessly integrated into the existing development process either at the build phase or before testing phase. CAST AIP also automatically assigns ranks to the vulnerabilities through a combination of vulnerability severity, determined by industry standards, and the risk the specific vulnerability presents to the application as a whole (though propagation risk analysis and transaction risk analysis) In addition to identifying the vulnerability, CAST AIP also provides detailed guidance on how to fix the vulnerability with sample code.
6.3 Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices, and incorporate information security throughout the software development life cycle. 6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.	CAST AIP out of the box includes more than 300 security best practices that cover nearly 30 programming languages. Also, CAST AIP can be integrated into the SDLC to automate the process of code analysis to identify these vulnerabilities. CAST AIP also provides additional tools like "Architecture Checker" to create custom rules unique to specific applications.
6.4 Follow change control processes and procedures for all changes to system components.	CAST Discovery Portal, creates an automatic blue print of the entire system dependencies and also specifically identifies the code added, modified and deleted. This information can expedite the process of following change control procedures.
6.5 Develop applications based on secure coding guidelines and review custom application code to identify coding vulnerabilities. Follow up-to-date industry best practices to identify and manage vulnerabilities (i.e., the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.). The current best practices must be used for these requirements. 6.5.1 Injection flaws, particularly SQL injection. 6.5.2 buffer overflow 6.5.3 Insecure cryptographic storage 6.5.4 Insecure communications 6.5.5 Improper error handling 6.5.6 All "high" vulnerabilities identified in the vulnerability-identification process (as defined in PCI DSS Requirement 6.2). 6.5.7 Cross-site scripting (XSS) 6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access and directory traversal). 6.5.9 Cross-site request forgery (CSRF)	CAST AIP addresses most of these requirements. Please see CAST AIP coverage of OWASP and CWE Top 25.
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes	CAST AIP provides most comprehensive static analysis automated application vulnerability security assessment tool.
11.2.1 Perform quarterly internal vulnerability scans. 11.2.3 Perform internal and external scans after any significant change.	CAST AIP configured to automatically run at a regular interval or after any changes to the system.

CAST AIP OWASP Coverage – Detailed Description

All the rules and related description are referenced from OWASP.

OWASP 2013 - A1 – Injection Flaws

"Injection flaws, particularly SQL injection, are common in web applications. There are many types of injections: SQL, LDAP, XPath, XSLT, HTML, XML, OS command injection and many more.Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data."

CAST AI Platform integrates a User Input Security Analyzer based on dataflow technology. The Dataflow User Input Security Analyzer is a technology embedded in the code analyzer that uses tainted variable analysis and tracks input data thru out the source code to find a path where the input data is sent to a target server without prior sanitization / encoding.

The User Input Security Analyzer offers directly supports the following type of injection flaws grouped into the technical criteria metric called "Secure Coding - Input Validation":

SQL injection flaws
LDAP injection flaws
OS command injection flaws
XPath injection flaws
File path manipulation flaws

The User Input Security Analyzer can be customized to specific need interactively to add specific sanitization, input or target methods for a given type of flaw. The Dataflow User Input Security Analyzer offer manager and developers the view of the precise path(s) where the vulnerability exist in a call path view directly in the CAST dashboards.

In addition to the dataflow searched quality rules, CAST AI Platform provides out of the box the following framework based rules also grouped into the technical criteria metric called "Secure Coding - Input Validation":

ASP.NET: Always validate user input with Request variables
Struts Validator: Avoid action mappings validator turned off
Struts Validator: Avoid Form Field without Validator
Struts Validator: Avoid multiple validation form with the same name
Struts Validator: Avoid unused validation form
Struts Validator: Avoid Validator field without Form Field
Struts Validator: Enable Struts Validator plugin
Struts Validator: Form Bean must extend Validator Class
Struts Validator: Validator form validate() method must call super.validate()

For applications following the OWASP recommendation to implement object relational mapping (ORM) libraries such as Hibernate, CAST provides a specific rule that checks that only Hibernate is used to access the database:

Hibernate: Use only Hibernate API to access to the database

CAST provides also 13 rules to check that Hibernate architecture & performance best practices are in place.

OWASP 2013 - A3 – Cross Site Scripting (XSS)

"Cross-site scripting, better known as XSS, is in fact a subset of HTML injection. XSS is the most prevalent and pernicious web application security issue. XSS flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content."

Being a special form of injection, a part of the solution to get rid of the XSS threat comes from checking the protection in place for A2 Injection Flaws (see A2). Indeed, beside A2 protection (validation of all incoming data), the OWASP Top Ten document recommends the "appropriate encoding of all output data".

CAST supports checking that using the same technology as for Injection Flaws: dataflow and tainted variable analysis to track input data thru out the source code in order find a path where the input data is sent back to the user without prior sanitization / encoding. The User Input Security Analyzer offers directly supports Cross-Site Scripting flaws that can be found in the technical criteria metric called "Secure Coding - Input Validation". As for A1-Injection flaws, the user can customize interactively the analysis to meet specific needs: adding specific sanitization, input or target methods for a given type of flaw is done directly thru the GUI. XSS results are displayed in the dashboard which offers the view of precise path(s) where the vulnerability exist in a call path view directly in CAST AD Dashboard.

OWASP 2013 - A8 – Cross-Site Request Forgery (CSRF)

"A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim."

Most CSRF defences can be bypassed using attacker-controlled script, so the a required step to protect against A8 is to implement a proper Cross Site Scripting protection. See the description for A3 above.

OWASP 2007 - A6 – Information Leakage and Improper Error Handling

Rule of a previous version of the OWASP Top 10 with no equivalent in recent versions. Kept here for reference.

"Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Applications can also leak internal state via how long they take to process certain operations or via different responses to differing inputs, such as displaying the same error text with different error numbers. Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks."
CAST supports the protection against "A6 – Information Leakage and Improper Error Handling" thru the use of the following rules integrated in the technical criteria metric called "Programming Practices - Error and Exception Handling":

.NET: Avoid catching an exception of type Exception
.NET: Avoid empty catch blocks
.NET: Avoid empty finally blocks
.NET: Avoid throwing an exception of type Exception
ABAP: Avoid missing WHEN OTHERS in CASE statements
ABAP: Avoid unchecked return code (SY-SUBRC) after OPEN SQL or READ statement
ABAP: Avoid using AT events in combination of LOOP AT .... WHERE constructs
ASP: Use of error handling page
COBOL: Avoid DISPLAY ... UPON CONSOLE
COBOL: Avoid using HANDLE ABEND
COBOL: Avoid using HANDLE CONDITION
COBOL: Avoid using IGNORE CONDITION
COBOL: Include a WHEN OTHER clause when using EVALUATE
COBOL: Programs accessing relational databases must include the SQLCA copybook
Java: Avoid catch blocks with assertion
Java: Avoid catching an exception of type Exception, RuntimeException, or Throwable
Java: Avoid declaring throwing an exception and not throwing it
Java: Avoid direct Class inheritance from java.lang.Throwable
Java: Avoid empty catch blocks
Java: Avoid empty finally blocks
Java: Avoid missing default in switch statements
Java: Avoid return statements in finally blocks
Java: Avoid throwing an exception in a catch block without chaining it
Java: Avoid throwing an exception of type Exception
Java: Avoid using 'java.lang.Error'
Java: Avoid using 'java.System.exit()'
Java: Avoid using 'System.err' and 'System.out' outside a try catch block
Java: Avoid using 'System.err' and 'System.out' within a try catch block
Java: Avoid using 'System.printStackTrace()' outside a try catch block
Java: Avoid using 'System.printStackTrace()' within a try catch block
JSP: Pages should use error handling page
PL-SQL: Use WHEN OTHERS in exception management
T-SQL: Avoid Functions and Procedures doing an Insert, Update or Delete without including error management
T-SQL: Avoid Stored Procedures not returning a status value
VB: Avoid using "On error Resume Next" in the Class event terminate.
VB: Use a single Error Handling Method

CAST AIP coverage for CISQ/OMG

Please refer to the following page: Support of the CISQ/OMG Automated Source Code Measurement Standards