Safety of Data in CAST Highlight
Frequently Answered Questions
Absolutely. With CAST Highlight, no source code is ever uploaded to the cloud (download CAST Highlight document on security and confidentiality of the platform) – only analysis results are, through HTTPS, encrypted in transit by using a 256-bit encryption mechanism . CAST Highlight’s platform is regularly reviewed and tested by third-party security experts. The platform and related business processes are certified ISO/IEC 27001:2013, 27017 and 27018 (download the certificate).
CAST Highlight is hosted on AWS, Microsoft Azure, and Google Cloud.
ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. Certification requires providers to: Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities; Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks; and Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way. ISO 27001 certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the ISO 27001 certification standard.
The ISMS of the CAST’s cloud-based software analysis services has been certified ISO/IEC 27001:2013. In addition, CAST partners with ISO-27001 certified Cloud service providers, to ensure your data is secure in CAST Highlight. Our pursuit of ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard confirms that our security management program will be comprehensive and follow leading practices. This certification provides more clarity and assurance for customers evaluating the breadth and strength of our security practices. In the meantime, our partnership with Amazon provides secure solutions through a certified provider.
The Cloud First policy mandates that US federal agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.
CAST completes yearly penetration tests conducted by a reputable third-party specialist. A copy of this report is available by request.
There is no client source code stored in CAST Highlight. The meta data results of the source code scan are hosted on AWS, Azure, and Google Cloud and can only be accessed through the application portal. RDBMS encryption is done at the database level. CAST Highlight uses AES-256 to encrypt data at REST.
Front, website and database are segregated in distinct networks to which access is restricted to required flows.
For users configured with credential accounts (login/password), access to their account is secured by salted hash of their password (AES-256 encryption).
TLS-1.2 and 1.3 enabled protocols are used to protect data during transit. No source code is transmitted as part of the CAST Highlight application assessment process.
RDBMS encryption is done at the database level. CAST Highlight uses AES-256 to encrypt data at REST.
As part of our release process, CAST Highlight is scanned on a weekly basis for vulnerabilities. Third-party components are regularly reviewed and upgraded to safer versions if required.
As part of its SDLC, the product development team follows OWASP development good practices.
Yes, the CAST Information Security policy is available by request.