Frequently Asked Questions

General Questions
How frequently should I analyze my application portfolio with CAST Highlight?

It is recommended to run a snapshot of CAST Highlight every quarter in order to see how your portfolio is trending over time. However, Highlight provides a scriptable command line which helps you automate the code scan integration within your CI/CD environment.

Can I get access to the raw data provided by CAST Highlight?

The results of CAST Highlight’s application portfolio analysis can be viewed through CAST Highlight’s online interactive portal. You can also integrate our public API or export all raw data into an XML or Excel file, making it easy for you to integrate CAST Highlight’s Software Intelligence insights and metrics into your existing reporting tools.

Which technologies does CAST Highlight support?

CAST Highlight supports over 40 technologies. Below outlines each supported technology for the various capabilities in the platform. Click here to see the technology coverage by use case (Sizing Metrics, Software Health, Cloud Readiness, Software Composition).

How long does it take to analyze an application?

The Local Agent scans code quickly. It takes less than 5 minutes to analyze a normal-sized application of 150,000 lines of code (LOC) in Java. Note that our command line allows you to run multiple scans in parallel on the same machine. A large application of 1M LOC can be analyzed in less than an hour. Found something slow during the scan? Contact our product team, we love to continuously improve our analyzers.

What are the hardware/software requirements to scan my source code with the Local Agent?

  • Microsoft Windows Operating System superior or equal to Windows 8
  • Chrome (highly recommended for better experience), Microsoft Edge, FireFox ESR
  • Local Agent Install/Scan: 300MB free disk space, 4GB memory
  • Source code is available and stored in text files accessible from a Windows machine

Which operating systems and browsers are supported by CAST Highlight?

The CAST Highlight portal is compatible with Microsoft Edge; Firefox ESR or higher; Safari 5.1.7 or higher; and all versions of Chrome. The portal is accessible on desktops, tablets and smartphones. The CAST Highlight Local Agent is compatible with Windows 8 or higher and can be run on desktops. The command line supports various Operating Systems including Windows, Linux, MacOS.

Is it possible to put CAST Highlight on my server?

No, we’re a SaaS product. CAST Highlight is only deployed, managed, secured and supported by CAST. One of the great advantages of this model is that there is no infrastructure cost or upgrade effort.

Does source code leave my infrastructure?

Never. We make the agent available to you so that the analysis could be performed wherever your code may exist. The only information that is exchanged between our clients and us is the information you provide as part of the portfolio analysis survey and the output of the code quality analysis. CAST Highlight generates a .csv file that consists of three segments; Output File Attributes, Section Attributes and the File attributes. Please note that customer data is not sent over the internet either by e-mail or via other internet protocols. The result of the code-level analysis performed by CAST Highlight on the Client infrastructure is uploaded to the website through https and encrypted in transit using a 256-bit encryption mechanism.The Output File Attributes identifies the version of the analyzed application, the version of the analyzer and the type of analyzer by language. It also provides the file name and date the analysis was performed. The section data defines the file structure for the specific analyzer along with additional analyzer attributes. The File Attributes are a summary that is generated for each file analyzed. Scan metrics are anonymized (e.g. Id_123) and decoded by the portal once the file has been uploaded.

Does CAST Highlight connect to my software configuration systems?

Not currently. We are investigating that option for the future. If you have a specific system in mind please let us know. However, CAST Highlight comes with a scriptable command line and a Docker image which can easily be integrated within your CI/CD environment. In addition, during the first scan of an application, the CAST Highlight Agent captures configurations you made (exclusion of certain technologies, folders or files) that make you save time for future scans of a same application.

Can I add team members or colleagues to my CAST Highlight account?

Yes, you can add as many team members to participate as you wish. Simply select Add Member from the Plan page. You will need to provide their email address and CAST Highlight will send them an invitation to join. Three user roles are available: Portfolio Manager (can create, edit, delete applications, scan results and campaigns, invite users, etc.), Contributors (can upload code scan results, answer the application survey and see analytics and dashboards for their applications) and Result Viewers (can only see application portfolio analytics and dashboards).

My user account is locked after 3 failed login attempt. How can I unlock it?

For security purpose, 3 successive failed login attempt will lock your user account. To unlock it, use the “Forgot Password” feature available from the login page. Paste your CAST Highlight user login to receive a new activation link that will unlock your account.

Why I cannot see the analyses in the CAST Highlight portal?

Each user of CAST Highlight is attributed a specific role. Some roles have limited viewing rights. Please check with your CAST Highlight Administrator at your company for the type of access rights you have. Not sure who your Administrator is? Contact us.

What languages are supported by the Highlight user interface?

The CAST Highlight user interface supports the following languages: English, French, Chinese, Japanese. Learn more in this article.

Indicators & Methodology
How is each of the CAST Highlight health factor indicators derived?

Each of these software health indicators is a simple aggregation of specific patterns. Each file is given an optional score to start, and as a pattern is detected, Highlight decrements the score. Once the agent has finished analyzing a file, it calculates how many points were decremented from the ideal score and determines its score. For example, if a file loses 25% of its score, it will be classified in the green (high quality). If a file loses 50% of its points, it will be categorized in the orange (medium quality). A file that loses 75% or more of its points will be classified in the red (low quality). This method is applied by each health area to provide scoring per software health indicator.

What is a Code Insight?

Code Insights are symptoms of your code that possibly indicate a deeper problem. CAST Highlight automatically detects these code insight to help put together the software health indicators. Code insights are not necessarily problems themselves. For example, long methods are often a symptom of mismanaged object responsibilities that require changes to the domain model. Simply splitting up the long method into smaller methods is not always the way to go.

Where do CAST Highlight’s application benchmarks come from? How do I interpret the benchmark scores?

Our benchmark data aggregates the averages from all applications that have been analyzed in CAST Highlight. CAST Highlight has analyzed billions lines of code from 10,000+ applications. Our benchmarks are based on statistic quartiles. If for a given application the software health indicator is in the 1st quartile, then the app scored in the upper 25%, indicating a higher software health distribution compared to other applications. If the software health indicator is in the 4th quartile, then the app scored in the lower 25%, indicating a lower software health distribution compared to others.

What is Software Resiliency?

Software Resiliency indicates programming best practices that make software bullet-proof, more robust and secure. This index is derived through technology-specific code analysis that searches for the presence of code patterns that may comprise the reliability of the software at short term. For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Software Agility?

Software Agility indicates the easiness of a development team to understand and maintain an application. This index is derived through technology-specific code analysis that searches for the presence of embedded documentation and code readability good practices. 

For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Software Elegance?

Software Elegance measures the ability to deliver software value with less code complexity. A low Software Elegance score indicates decreased quality in the code resulting in higher defects that become costly to fix at mid-term.

For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Cloud Readiness?

In Highlight, cloud readiness of an application is measured by the CloudReady index. This indicator assess the software & organization characteristics that can slow or speed a PaaS migration.

For more detailed information about this indicator, please visit our dedicated page.

What is Open Source Safety?

Open Source Safety indicates the use of 3rd-party components that comply with security, license and age requirements. This index from 0 (low safety) to 100 (high safety) is an average of the three main scores for measuring Open Source/Third-Party component risk: Security & Vulnerabilities, License Compliance, Technology Obsolescence.

For more detailed information about this indicator, please visit our dedicated page.

How does CAST Highlight calculate an application’s Business Impact?

The Business Impact Index measures the criticality of an application to your company’s business. The index is derived through specific online survey questions concerning application impact on the business.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

Do you detect framework and library usage within applications?

Yes. CAST Consolidates one of the largest databases on software components, with billions of signatures (fingerprints) computed for each version of open source and third-party components. Based on this unique database, CAST Highlight compares your application files fingerprint and aggregates component, version, license, release date information at both portfolio and application levels.

For more detailed information about CAST Highlight’s Software Composition Analysis (SCA) capabilities, please visit our Indicator & Methodology section.

How the Software Maintenance Effort is calculated?

Based on COCOMO II (Constructive Cost Model – Post Architecture), the Software Maintenance Effort calculated by Highlight estimates the ideal level of effort in order to maintain an application in good operational conditions, expressed in FTE (Full-Time Equivalent). This indicator is derived both from the Software Maintenance survey and the software quality analysis which are computed during the source code scan.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

What are Backfired Function Points and how are they calculated?

Back-Fired Function Points (BFP) estimate the number of function points of an application. This code-derived metric is based on the lines of code, weighted by an abacus for a given technology.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

What is Technical Debt?

The term “Technical Debt”, first defined by Ward Cunningham, is having a renaissance. A wide variety of ways to define and calculate Technical Debt are emerging. Technical Debt represents the effort required to fix problems that remain in the code when an application is released. It is an emerging concept, and little reference data regarding the metaphor is available in a typical application.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

How does CAST Highlight estimate Technical Debt?

Technical Debt estimates exclusively rely on CAST Highlight’s code insights and their respective number of occurrences found during the code scan:

– Each code insight for each technology (where Software Health is supported) has its own effort estimate expressed in minutes, hours, or person-days. This effort is the estimated time required to fix one occurrence of the corresponding code insight.

– When an application is onboarded, CAST Highlight multiplies occurrences found for each code insight by the effort estimate.

– The total Technical Debt estimate equals the sum of all code insight effort estimates

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

Does CAST Highlight interface with source code configuration management tools?

CAST Highlight does not interface with source code configuration management tools. Therefore, your source code must be extracted from your SCM system and placed into a folder that can be accessed by our agent.

How do I analyze SAP code with CAST Highlight?

If you are going to analyze ABAP client code and want to identify links to SAP tables/programs, then you need to extract information from your SAP system. Because CAST Highlight cannot connect directly to the SAP tables to determine link information, Highlight leverages third-party tools to extract the table/program data into a format that can be read by the Local Agent.

For more detailed information about the tools Highlight can leverage to help you extract source code, please visit our Tutorial & Tools section.

What happens to the files that have extension that CAST Highlight does not recognize?

For technologies allowing files without extensions (typically COBOL), the Local Agent will scan the first lines of code looking for known keywords for a given technology (eg: PERFORM, MOVE, etc.), and will associate the file to the detected technology. However, in order to accurately configure your code scans, you can manually “force” a technology for a set of files or folders from the Agent. Then, the corresponding files will scanned with the analyzer you’ve selected.

For more detailed information on how to use Highlight, please visit our Tutorial & Tools section.

What if I discover that I missed some code: do I need to rerun the entire analysis?

If you’ve discovered that some part of an application was overlooked or missed, all you need to do is to analyze that code then log back into CAST Highlight portal. You will simply add it as a component to its corresponding application and it will be aggregated into the quality and size results for that application.

For more detailed information on how to use Highlight, please visit our Tutorial & Tools section.

Security of the Platform
Is my data secure?

Absolutely.  With CAST Highlight, no source code is ever uploaded to the cloud (download CAST Highlight document on security and confidentiality of the platform) – only analysis results are, through HTTPS, encrypted in transit by using a 256-bit encryption mechanism .  CAST Highlight’s platform is regularly reviewed and tested by third-party security experts. The platform and related business processes are certified ISO/IEC 27001:2013, 27017 and 27018 (download the certificate).

Where is CAST Highlight hosted?

CAST Highlight is hosted on  AWS, Microsoft Azure, and Google Cloud.

What is ISO/IEC 27001:2013 certification and is CAST Highlight certified?

ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. Certification requires providers to: Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities; Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks; and Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way. ISO 27001 certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the ISO 27001 certification standard.

The ISMS of the CAST’s cloud-based software analysis services has been certified ISO/IEC 27001:2013. In addition, CAST partners with ISO-27001 certified Cloud service providers, to ensure your data is secure in CAST Highlight. Our pursuit of ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard confirms that our security management program will be comprehensive and follow leading practices. This certification provides more clarity and assurance for customers evaluating the breadth and strength of our security practices. In the meantime, our partnership with Amazon provides secure solutions through a certified provider.

What is FedRAMP and why is it important in the US?

The Cloud First policy mandates that US federal agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.

Does CAST perform any WAPT(pentest) and what is the frequency of the test ? Pentest reports, recurring testing cycles, process followed.

CAST completes yearly penetration tests conducted by a reputable third-party specialist. A copy of this report is available by request.

Where is client data stored, is it encrypted and access controlled?

“There is no client source code stored in CAST Highlight. The meta data results of the source code scan are hosted on AWS, Azure, and Google Cloud and can only be accessed through the application portal. RDBMS encryption is done at the database level. CAST Highlight uses AES-256 to encrypt data at REST.

Front, website and database are segregated in distinct networks to which access is restricted to required flows.”

Is data encrypted in transit and also in rest?

“TLS-1.2 enabled protocol is used to protect data during transit. No source code is transmitted as part of the CAST Highlight application assessment process.

RDBMS encryption is done at the database level. CAST Highlight uses AES-256 to encrypt data at REST.”

Does your organization conduct vulnerabilty scanning at least quarterly?

As part of our release process, CAST Highlight is scanned on a weekly basis for vulnerabilities. Third-party components are regularly reviewed and upgraded to safer versions if required.

Does your organization implement secure coding best practices during product development life cycle?

As part of its SDLC, the product development team follows OWASP development good practices.

Does your organization have an information security policy?

Yes, the CAST Information Security policy is available by request.