Frequently Asked Questions

General Questions
How frequently should I analyze my application portfolio with CAST Highlight?

It is recommended to run a snapshot of CAST Highlight every quarter in order to see how your portfolio is trending over time.

Can I get access to the raw data provided by CAST Highlight?

The results of CAST Highlight’s application portfolio analysis can be viewed through CAST Highlight’s online interactive portal. You can also export all raw data into an XML or Excel file, making it easy for you to integrate CAST Highlight’s IT portfolio metrics into your existing reporting tools.

Which technologies does CAST Highlight support?

Java, COBOL, SAP (Abap), C/C++, C#, Objective-C, PHP, Javascript, JSP, Visual Basic, VB.Net, VB6, Oracle PL/SQL, PL1, Python, Microsoft T-SQL, Nsdk, and Shell/BASH scripts.

How long does it take to analyze an application?

The Local Agent scans code quickly. It takes less than 5 minutes to analyze a normal-sized application of 150,000 lines of code (LOC) in Java. A large application of 1M LOC can be analyzed in less than an hour. Found something slow during the scan? Contact our product team, we love to continuously improve our analyzers.

Which operating systems and browsers are supported by CAST Highlight?

The CAST Highlight portal is compatible with Internet Explorer 10 or higher; Firefox ESR or higher; Safari 5.1.7 or higher; and all versions of Chrome. The portal is accessible on desktops, tablets and smartphones. The CAST Highlight Local Agent is compatible with Windows XP or higher and can be run on desktops.

Is it possible to put CAST Highlight on my server?

Not currently, we’re a SaaS product. We are investigating how to deploy Highlight in a private Cloud as an option but currently CAST Highlight is only deployed, managed and supported by CAST.

Does source code leave my infrastructure?

Never. We make the agent available to you so that the analysis could be performed wherever your code may exist. The only information that is exchanged between our clients and us is the information you provide as part of the portfolio analysis survey and the output of the code quality analysis. CAST Highlight generates a .csv file that consists of three segments; Output File Attributes, Section Attributes and the File attributes. Please note that customer data is not sent over the internet either by e-mail or via other internet protocols. The result of the code-level analysis performed by CAST Highlight on the Client infrastructure is uploaded to the website through https and encrypted using a 256-bit encryption mechanism.The Output File Attributes identifies the version of the analyzed application, the version of the analyzer and the type of analyzer by language. It also provides the file name and date the analysis was performed. The section data defines the file structure for the specific analyzer along with additional analyzer attributes. The File Attributes are a summary that is generated for each file analyzed.

Does CAST Highlight connect to my software configuration systems?

Not currently. We are investigating that option for the future. If you have a specific system in mind please let us know. However, during the first scan of an application, the Highlight Agent captures configurations you made (exclusion of certain technologies, folders or files) that make you save time for future scans of a same application.

Can I add team members or colleagues to my CAST Highlight account?

Yes, you can add as many team members to participate as you wish. Simply select Add Member from the Plan page. You will need to provide their email address and CAST Highlight will send them an invitation to join.

I cannot see the analyses in the CAST Highlight portal?

Each user of CAST Highlight is attributed a specific role. Some roles have limited viewing rights. Please check with your CAST Highlight Administrator at your company for the type of access rights you have. Not sure who your Administrator is? Contact us.

Indicators & Methodology
How are each of the CAST Highlight risk indicators derived?

Each of these risk indicators is a simple aggregation of specific patterns. Each file is given an optional score to start, and as a pattern is detected, Highlight decrements the score. Once the agent has finished analyzing a file, it calculates how many points were decremented from the ideal score and determines its risk score. For example, if a file loses 25% of its score, it will be classified in the green. If a file loses 50% of its points, it will be categorized in the orange. A file that loses 75% or more of its points will be classified in the red. This method is applied by each risk area to provide risk scoring per Risk Index.

What is a Code Smell?

Code Smells are symptoms of your code that possibly indicate a deeper problem. CAST Highlight automatically detects these code smells to help put together the risk indicators. Code smells are not necessarily problems themselves. For example, long methods are often a symptom of mismanaged object responsibilities that require changes to the domain model. Simply splitting up the long method into smaller methods is not always the way to go. For more information, read our code smells eBook.

Where do CAST Highlight’s application benchmarks come from? How do I interpret the benchmark scores?

Our benchmark data aggregates the averages from all applications that have been analyzed in CAST Highlight. CAST Highlight has analyzed over 650 million lines of code from 1,200+ applications. Our benchmarks are based on statistic quartiles. If for a given application the risk indicator is in the 1st quartile, then the app scored in the upper 25%, indicating a lower risk distribution compared to other applications. If the risk indicator is in the 4th quartile, then the app scored in the lower 25%, indicating a higher risk distribution compared to others.

What is Software Resiliency?

Software Resiliency indicates programming best practices that make software bullet-proof, more robust and secure. This index is derived through technology-specific code analysis that searches for the presence of code patterns that may comprise the reliability of the software at short term. For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Software Agility?

Software Agility indicates the easiness of a development team to understand and maintain an application. This index is derived through technology-specific code analysis that searches for the presence of embedded documentation and code readability good practices. 

For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Software Elegance?

Software Elegance measures the ability to deliver software value with less code complexity. A low Software Elegance score indicates decreased quality in the code resulting in higher defects that become costly to fix at mid-term.

For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

How does CAST Highlight calculate an application’s Business Impact?

The Business Impact Index measures the criticality of an application to your company’s business. The index is derived through specific online survey questions concerning application impact on the business.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

Do you detect framework and library usage within applications?

Yes. During code scan of your applications, Highlight automatically detects usage of hundreds of frameworks and libraries to aggregate this data into your Highlight dashboards.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

How the Software Maintenance Effort is calculated?

Based on COCOMO II (Constructive Cost Model – Post Architecture), the Software Maintenance Effort calculated by Highlight estimates the ideal level of effort in order to maintain an application in good operational conditions, expressed in FTE (Full-Time Equivalent). This indicator is derived both from the Software Maintenance survey and the software quality analysis which are computed during the source code scan.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

What are Backfired Function Points and how are they calculated?

Back-Fired Function Points (BFP) estimate the number of function points of an application. This code-derived metric is based on the lines of code, weighted by an abacus for a given technology.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

What is Technical Debt?

The term “Technical Debt”, first defined by Ward Cunningham, is having a renaissance. A wide variety of ways to define and calculate Technical Debt are emerging. Technical Debt represents the effort required to fix problems that remain in the code when an application is released. It is an emerging concept, and little reference data regarding the metaphor is available in a typical application.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

How does CAST Highlight estimate Technical Debt?

For each code base, CAST Highlight calculates a risk index based on the density of patterns identified. This risk index is used to adjust Appmarq‘s benchmark repository on technical debt per line of code value per technology.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

Does CAST Highlight interface with source code configuration management tools?

CAST Highlight does not interface with source code configuration management tools. Therefore, your source code must be extracted from your SCM system and placed into a folder that can be accessed by our agent.

How do I analyze database code with CAST Highlight?

If you are going to analyze database code then you need to extract information from your database. CAST employs tools to extract the table/program data into a format that can be read by the agent.

For more detailed information about the tools Highlight can leverage to help you extract source code, please visit our Tutorial & Tools section.

How do I analyze SAP code with CAST Highlight?

If you are going to analyze ABAP client code and want to identify links to SAP tables/programs, then you need to extract information from your SAP system. Because CAST Highlight cannot connect directly to the SAP tables to determine link information, Highlight leverages third-party tools to extract the table/program data into a format that can be read by the Local Agent.

For more detailed information about the tools Highlight can leverage to help you extract source code, please visit our Tutorial & Tools section.

What happens to the files that have extension that CAST Highlight does not recognize?

For technologies allowing files without extensions (typically COBOL), the Local Agent will scan the first lines of code looking for known keywords for a given technology (eg: PERFORM, MOVE, etc.), and will associate the file to the detected technology. However, in order to accurately configure your code scans, you can manually “force” a technology for a set of files or folders from the Agent. Then, the corresponding files will scanned with the analyzer you’ve selected.

For more detailed information on how to use Highlight, please visit our Tutorial & Tools section.

What if I discover that I missed some code: do I need to rerun the entire analysis?

If you’ve discovered that some part of an application was overlooked or missed, all you need to do is to analyze that code then log back into CAST Highlight portal. You will simply add it as a component to its corresponding application and it will be aggregated into the quality and size results for that application.

For more detailed information on how to use Highlight, please visit our Tutorial & Tools section.

Security of the Platform
What is ISO 27001 certification and is CAST Highlight certified?

ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. Certification requires providers to: Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities; Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks; and Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way. ISO 27001 certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the ISO 27001 certification standard.

The ISMS of the CAST’s cloud-based software analysis services has been certified ISO/IEC 27001:2013. In addition, CAST partners with Amazon Web Services (AWS), an ISO 27001 certified hosting provider, to ensure your data is secure in CAST Highlight. Our pursuit of ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard confirms that our security management program will be comprehensive and follow leading practices. This certification provides more clarity and assurance for customers evaluating the breadth and strength of our security practices. In the meantime, our partnership with Amazon provides secure solutions through a certified provider.

Where is CAST Highlight hosted?

Highlight is hosted on one of the most secure cloud infrastructures on earth, Amazon Cloud (AWS), which is certified by internationally recognized security norms (ISO-27001, SOC2).

Is my data secure?

As previously mentioned, with Highlight no source code is ever uploaded to the cloud, only encrypted analysis results are. That being said, CAST has passed one of the most demanding anti-intrusion tests. An isolated data set is created for each customer, and CAST itself has been certified ISO/IEC 27001:2013.

What kind of security is in place?

You can read CAST’s security information and privacy policy.

Who is the Amazon Web Services certifying agent?

It is EY CertifyPoint, an ISO certifying agent accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by EY CertifyPoint are recognized as valid certificates in all countries with an IAF member.

What is FedRAMP and why is it important in the US?

The Cloud First policy mandates that US federal agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.

Do AWS meet FedRAMP requirements?

Yes, Amazon Web Services (AWS) is a FedRAMP Compliant Cloud Service Provider (CSP) with authorization packages that can be leveraged by any federal, state and local government. AWS has completed the testing performed by a FedRAMP-accredited Third Party Assessment Organization (3PAO) and has been granted two initial Agency Authority to Operate (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements. AWS’ compliance with FedRAMP requirements was achieved based on testing performed against the stringent set of FedRAMP requirements (NIST 800-53 Rev. 3 – Moderate baseline requirements, plus additional FedRAMP security controls). The AWS security assessment was performed by a FedRAMP-accredited 3PAO, Veris Group, LLC. The HHS authorization validates AWS’ security posture at the Moderate impact level to store, process, and protect a diverse array of sensitive government data. The assessment and associated ATOs have been registered in the FedRAMP repository and allow government agencies to evalute AWS’ security and the opportunity to store, process, and maintain a diverse array of sensitive government data within the AWS cloud. Subsequent to the initial Agency ATOs provided by HHS, additional agencies have granted AWS ATOs based on the documentation stored in the FedRAMP repository.

Are there U.S. government entities using Amazon Web Services now?

Yes, numerous government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of Amazon Web Services today.