Safety of Data in CAST Highlight
Frequently Answered Questions

CAST Highlight scans the source code and other build artifacts comprising a software application, and automatically derives insights such as cloud maturity, software composition, open source risks, resiliency, agility, and technical debt.
This document answers common questions about the mechanisms built into CAST Highlight and the standards followed during its development process for addressing the safety and security of the source code being analyzed, and the derived insights being provided by CAST Highlight.
CAST Highlight is deployed as a SaaS software product.
Is my data secure?

Absolutely.  With CAST Highlight, no source code is ever uploaded to the cloud (download CAST Highlight document on security and confidentiality of the platform) – only analysis results are, through HTTPS, encrypted in transit by using a 256-bit encryption mechanism .  CAST Highlight’s platform is regularly reviewed and tested by third-party security experts. The platform and related business processes are certified ISO/IEC 27001:2013, 27017 and 27018 (download the certificate).

Where is CAST Highlight hosted?

CAST Highlight is hosted on  AWS, Microsoft Azure, and Google Cloud.

What is ISO/IEC 27001:2013 certification and is CAST Highlight certified?

ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. Certification requires providers to: Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities; Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks; and Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way. ISO 27001 certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the ISO 27001 certification standard.

The ISMS of the CAST’s cloud-based software analysis services has been certified ISO/IEC 27001:2013. In addition, CAST partners with ISO-27001 certified Cloud service providers, to ensure your data is secure in CAST Highlight. Our pursuit of ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard confirms that our security management program will be comprehensive and follow leading practices. This certification provides more clarity and assurance for customers evaluating the breadth and strength of our security practices. In the meantime, our partnership with Amazon provides secure solutions through a certified provider.

What is FedRAMP and why is it important in the US?

The Cloud First policy mandates that US federal agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.

Does CAST perform any WAPT (pentest) and what is the frequency of the test ? Pentest reports, recurring testing cycles, process followed.

CAST completes yearly penetration tests conducted by a reputable third-party specialist. A copy of this report is available by request.

Where is client data stored, is it encrypted and access controlled?

There is no client source code stored in CAST Highlight. The meta data results of the source code scan are hosted on AWS, Azure, and Google Cloud and can only be accessed through the application portal. RDBMS encryption is done at the database level. CAST Highlight uses AES-256 to encrypt data at REST.

Front, website and database are segregated in distinct networks to which access is restricted to required flows.

For users configured with credential accounts (login/password), access to their account is secured by salted hash of their password (AES-256 encryption).

Is data encrypted in transit and also in rest?

TLS-1.2 and 1.3 enabled protocols are used to protect data during transit. No source code is transmitted as part of the CAST Highlight application assessment process.

RDBMS encryption is done at the database level. CAST Highlight uses AES-256 to encrypt data at REST.

Does your organization conduct vulnerabilty scanning at least quarterly?

As part of our release process, CAST Highlight is scanned on a weekly basis for vulnerabilities. Third-party components are regularly reviewed and upgraded to safer versions if required.

Does your organization implement secure coding best practices during product development life cycle?

As part of its SDLC, the product development team follows OWASP development good practices.

Does your organization have an information security policy?

Yes, the CAST Information Security policy is available by request.