Extension ID
com.castsoftware.owasp-index
Description
This extension will compute OWASP-2021, OWASP-2017 and OWASP-2013 "top ten" application security risks as technical criteria grades. All CAST rules that are tagged with an OWASP related tag will contribute to the various OWASP technical criteria provided by the extension, thereby allowing specific grades and rule violations to be reported.
Compatibility
| Product | Release | Supported |
|---|---|---|
| AIP Core | ≥ 8.3.24 |  |
CAST Engineering Dashboard | ≥ 1.5 | |
| CAST Health Dashboard | ≥ 1.17 | |
| CAST Security Dashboard | ≥ 1.20 | |
OWASP version
| 2021 | |
| 2017 | |
| 2013 | |
Download and installation instructions
Configuration requirements
Generate a snapshot
A new snapshot must be generated (after the extension is installed) before results can be viewed. If you do not immediately see changes in the dashboard, please consider restarting Apache Tomcat and/or emptying your browser cache.
Engineering Dashboard
Tiles
Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.18 of the Engineering Dashboard. See Engineering Dashboard tile management for more information.
Clicking on the tile navigates to Risk investigation view and the specified Industry Standard will be selected in the Health Factor table.
Set filterHealthFactor option to false (only required in Engineering Dashboard ≤ 1.17)
Health Dashboard
Out of the box, no tiles will be provided to display data for this extension, however it is possible to create tiles manually to display Grade, Compliance, and Violation data directly from this extension using the Industry Standard/s tile plugin in v. ≥ 1.17 of the Health Dashboard. See Health Dashboard tile management for more information. Clicking on any of these tiles will display a list of the rules that have been tagged with the specified standard as provided by the extension. Compliance percentage is also displayed in a "bubble".
Example for cmp.json
Configuration to create a "gauge" tile at portfolio level (multi-app level) to show an OWASP-2017 A1-2017 tile:
{
"id": 1234,
"plugin": "IndustryStandards",
"color": "black",
"parameters": {
"type": "OWASP-2017",
"title": "OWASP-2017 A1-2017",
"widget": "gauge",
"industryStandard": {
"id": "1062321",
"indexID": "1062320",
"mode": "grade",
"format": "0.00",
"description": "OWASP-2017 A1-2017, in grade format"
}
}
}
Example for app.json
Configuration to create a "number of violations" tile at application level (single app level) to show an OWASP-2017 A1-2017 tile:
{
"id": 1236,
"plugin": "IndustryStandard",
"color": "orange",
"parameters": {
"type": "OWASP-2017",
"title": "OWASP-2017 A1-2017",
"industryStandard": {
"id": "1062321",
"indexID": "1062320",
"mode": "violations",
"format": "0,000",
"description": "OWASP-2017 A1-2017, in number of violations format"
}
}
}
What results can you expect?
Once the analysis/snapshot generation has completed, you can view the results in the dashboards:
Assessment Model
Various Business and Technical Criteria will be added by the extension:
OWASP 2021
| ID | Name | Type |
|---|---|---|
| 1062340 | OWASP-2021 | Business Criterion |
| 1062341 | A01-2021 | Technical Criterion |
| 1062342 | A02-2021 | Technical Criterion |
| 1062343 | A03-2021 | Technical Criterion |
| 1062344 | A04-2021 | Technical Criterion |
| 1062345 | A05-2021 | Technical Criterion |
| 1062346 | A06-2021 | Technical Criterion |
| 1062347 | A07-2021 | Technical Criterion |
| 1062348 | A08-2021 | Technical Criterion |
| 1062349 | A09-2021 | Technical Criterion |
| 1062350 | A10-2021 | Technical Criterion |
OWASP 2017
| ID | Name | Type |
|---|---|---|
| 1062320 | OWASP-2017 | Business Criterion |
| 1062321 | A1-2017 | Technical Criterion |
| 1062322 | A2-2017 | Technical Criterion |
| 1062323 | A3-2017 | Technical Criterion |
| 1062324 | A4-2017 | Technical Criterion |
| 1062325 | A5-2017 | Technical Criterion |
| 1062326 | A6-2017 | Technical Criterion |
| 1062327 | A7-2017 | Technical Criterion |
| 1062328 | A8-2017 | Technical Criterion |
| 1062329 | A9-2017 | Technical Criterion |
OWASP 2013
| ID | Name | Type |
|---|---|---|
| 1062300 | OWASP-2013 | Business Criterion |
| 1062301 | A1-2013 | Technical Criterion |
| 1062302 | A2-2013 | Technical Criterion |
| 1062303 | A3-2013 | Technical Criterion |
| 1062304 | A4-2013 | Technical Criterion |
| 1062305 | A5-2013 | Technical Criterion |
| 1062306 | A6-2013 | Technical Criterion |
| 1062307 | A7-2013 | Technical Criterion |
| 1062308 | A8-2013 | Technical Criterion |
| 1062309 | A9-2013 | Technical Criterion |
| 1062310 | A10-2013 | Technical Criterion |
Click to enlarge
Engineering Dashboard
≥ 1.18.0
In ≥ 1.18.0 out of the box, results are displayed in a specific interface - click the relevant OWASP Assessment Model option to view the results:
Click to enlarge
≤ 1.17.0
In ≤ 1.17.0, out of the box a set of OWASP standards as Business Criteria will be displayed (provided the filterHealthFactor option is set to false in the ed.json file):
Click to enlarge
Each OWASP standard as a Business Criterion will have a set of child OWASP standards as Technical Criteria:
Click to enlarge
Health Dashboard
Out of the box, no results are provided. Tiles can be configured manually as described above.
Security Dashboard
Out of the box, results are displayed in a specific interface - click either the OWASP-2013 or OWASP-2017 Assessment Model options (after clicking the Risk Investigation tile in the Application home page) to view the results:
RestAPI
The RestAPI can be used to query both the Dashboard (AED) and Measurement (AAD) schemas for results, for example:
