Frequently Asked Questions

General questions

How frequently should I analyze my application portfolio with CAST Highlight?

It is recommended to run a snapshot of CAST Highlight every quarter in order to see how your portfolio is trending over time.

Can I get access to the raw data provided by CAST Highlight?

The results of CAST Highlight’s application portfolio analysis can be viewed through CAST Highlight’s online interactive portal. You can also export all raw data into an XML or Excel file, making it easy for you to integrate CAST Highlight’s IT portfolio metrics into your existing reporting tools.

Which technologies does CAST Highlight support?

Java, COBOL, SAP (Abap), C/C++, C#, Objective-C, PHP, Javascript, JSP, Visual Basic, VB.Net, VB6, Oracle PL/SQL, PL1, Python, Microsoft T-SQL, Nsdk, and Shell/BASH scripts.

How long does it take to analyze an application?

The local agent scans code quickly. It takes less than 5 minutes to analyze a normal-sized application of 150,000 lines of code (LOC) in Java. A large application of 1M LOC can be analyzed in less than an hour.

Which operating systems and browsers are supported by CAST Highlight?

The CAST Highlight portal is compatible with Internet Explorer 10 or higher; Firefox ESR or higher; Safari 5.1.7 or higher; and all versions of Chrome. The portal is accessible on desktops, tablets and smartphones. The CAST Highlight Local Agent is compatible with Windows XP or higher and can be run on desktops.

Is it possible to put CAST Highlight on my server?

Not currently. We are investigating this as a deployment option but currently CAST Highlight is only deployed and supported by CAST.

Does source code leave my possession?

Never. We make the agent available to you so that the analysis could be performed wherever your code may exist. The only information that is exchanged between our clients and us is the information you provide as part of the portfolio analysis survey and the output of the code quality analysis. CAST Highlight generates a .csv file that consists of three segments; Output File Attributes, Section Attributes and the File attributes. Please note that customer data is not sent over the internet either by e-mail or via other internet protocols. The result of the code-level analysis performed by CAST Highlight on the Client infrastructure is uploaded to the website through https and encrypted using a 256-bit encryption mechanism.The Output File Attributes identifies the version of the analyzed application, the version of the analyzer and the type of analyzer by language. It also provides the file name and date the analysis was performed. The section data defines the file structure for the specific analyzer along with additional analyzer attributes. The File Attributes are a summary that is generated for each file analyzed.

Does CAST Highlight connect to my software configuration systems?

Not currently. We are investigating that option for the future. If you have a specific system in mind please let us know. However, during the first scan of an application, the Highlight Agent captures configurations you made (exclusion of certain technologies, folders or files) that make you save time for future scans of a same application.

Can I add team members or colleagues to my CAST Highlight account?

Yes, you can add as many team members to participate as you wish. Simply select Add Member from the Plan page. You will need to provide their email address and CAST Highlight will send them an invitation to join.

I cannot see the analyses in the CAST Highlight portal?

Each user of CAST Highlight is attributed a specific role. Some roles have limited viewing rights. Please check with your CAST Highlight Administrator at your company for the type of access rights you have. Not sure who your Administrator is? Contact us.

Indicators, Methodology & Technical

How are each of the CAST Highlight risk indicators derived?

Each of these risk indicators is a simple aggregation of specific patterns. Each file is given an optional score to start, and as a pattern is detected, Highlight decrements the score. Once the agent has finished analyzing a file, it calculates how many points were decremented from the ideal score and determines its risk score. For example, if a file loses 25% of its score, it will be classified in the green. If a file loses 50% of its points, it will be categorized in the orange. A file that loses 75% or more of its points will be classified in the red. This method is applied by each risk area to provide risk scoring per Risk Index.

What is a Code Smell?

Code Smells are symptoms of your code that possibly indicate a deeper problem. CAST Highlight automatically detects these code smells to help put together the risk indicators. Code smells are not necessarily problems themselves. For example, long methods are often a symptom of mismanaged object responsibilities that require changes to the domain model. Simply splitting up the long method into smaller methods is not always the way to go. For more information, read our code smells eBook.

Where do CAST Highlight's application benchmarks come from? How do I interpret the benchmark scores?

Our benchmark data aggregates the averages from all applications that have been analyzed in CAST Highlight. CAST Highlight has analyzed over 650 million lines of code from 1,200+ applications. Our benchmarks are based on statistic quartiles. If for a given application the risk indicator is in the 1st quartile, then the app scored in the upper 25%, indicating a lower risk distribution compared to other applications. If the risk indicator is in the 4th quartile, then the app scored in the lower 25%, indicating a higher risk distribution compared to others.

What is Production Risk?

Production Risk represents the likelihood of defects occurring in production. This risk index ranges from 1 to 100 whereas a score of 1 indicates the lowest probability of production defects occurring. This risk indicator is derived through technology-specific code analysis that searches for the presence of code patterns that may compromise the reliability of the software. The presence of these patterns indicates a potential for malfunction. Some patterns include: research assignment operators in a conditional expression, search for “break” missing in a case of selective statement, search macros whose parameters are not parenthesized, bug patterns and resource management practice.

What is Adaptability Risk?

Adaptability Risk indicates the cost and ease to maintain an application. The risk index ranges from 1 to 100 whereas a lower score indicates that the application is cheaper to maintain and with more predictable results. This risk indicator is derived through technology-specific code analysis that searches for the presence of programming best practices, documentation and code readability. Best practices alarms are triggered when the code does not follow the rules of development from the state of the art. Failure to follow best practices reflects a disregard for expertise that is known to promote scalability. Some best practices include: finding inconsistencies between ‘default’ branch and number of selective statement, and poorly structured code search. Readability alarms are triggered based on the form of code. Some alarms include: finding inconsistencies in the management of spaces and operators, search heterogeneities in the use of characters and number of long lines. Documentation alarms determine the quality of documentation within a file and the self-descriptiveness of the code. Poorly documented code increases maintenance and makes it difficult to find and fix bugs. The embedded documentation is the set of words and phrases, written in natural language, which aim to provide additional information to improve the understanding of code. Detection focuses on both the quantity and location of comments, the presence of certain ‘tags’ corresponding to suspected comments, the existence of executable code commented out and the length of identifiers.

What is Complexity Risk?

Software Complexity of source code is determined by combining Cyclomatic Complexity, the type of application or its intended functional purpose, the domain in which the application operates as well as the total size of the application. Cyclomatic Complexity which is a measure of the amount of logic in a code module. A high complexity score indicates decreased quality in the code resulting in higher defects that become costly to fix.

What is Technical Debt?

The term “Technical Debt”, first defined by Ward Cunningham, is having a renaissance. A wide variety of ways to define and calculate Technical Debt are emerging. Technical Debt represents the effort required to fix problems that remain in the code when an application is released. It is an emerging concept, and little reference data regarding the metaphor is available in a typical application.

How does CAST Highlight calculate Technical Debt?

For each code base, CAST Highlight calculates a risk index based on the density of patterns identified. This risk index is used to adjust the Appmarq benchmark technical debt per line of code value per technology. The Appmarq benchmarking repository provides a unique opportunity for CAST Research Labs (CRL) to calculate Technical Debt across different technologies, based on the number of engineering flaws and violations of good architectural and coding practices in that source code. This data-driven approach to provides an objective, conservative, and actionable estimate of Technical Debt.

How does CAST Highlight calculate an application's Business Impact?

The Business Impact Index measures the criticality of an application to your company’s business. The index is derived through specific online survey questions concerning application impact on the business. These questions capture key data points such as: number of major releases; volume of end users; and impact of application failure on revenue loss. CAST Highlight applies these data to plot a value profile of your portfolio to help you understand which applications are driving your business.

Does CAST Highlight interface with source code configuration management tools?

CAST Highlight does not interface with source code configuration management tools. Therefore, your source code must be extracted from your SCM system and placed into a folder that can be accessed by our agent.

How do I analyze database code with CAST Highlight?

If you are going to analyze database code then you need to extract information from your database. CAST employs tools to extract the table/program data into a format that can be read by the agent. The extraction action can be carried out either: using the executable .JAR files CASTDBGUI.jar / CASTDBExtractorGUI.jar or using the command line only (CASTDBExtractor.jar). Contact for more information.

How do I analyze SAP code with CAST Highlight?

If you are going to analyze ABAP client code and want to identify links to SAP tables/programs, then you need to extract information from your SAP system. Because CAST Highlight cannot connect directly to the SAP tables to determine link information, CAST employs two tools to extract the table/program data into a format that can be read by the agent. ZCAST_EXTRACTOR_PRG.txt > extracts all programs, includes, user-exits, functions, classes, interfaces, BAPI, processing screens, transactions, WebDynpro for ABAP, including source code, belonging to SAP packages.ZCAST_EXTRACTOR_TAB.txt > extracts all tables and views belonging to SAP object names. In addition, it allows you to extract the number of rows for database tables that have been extracted. The tools are located at the root of your agent installation folder. For more information,contact us.

What happens to the files that have extension that CAST Highlight does not recognize?

For technologies allowing files without extensions (typically COBOL), the Agent will scan the first lines of code looking for known keywords for a given technology (eg: PERFORM, MOVE, etc.), and will associate the file to the detected technology. However, in order to accurately configure your code scans, you can manually “force” a technology for a set of files or folders from the Agent. Then, the corresponding files will scanned with the analyzer you’ve selected.

What if I discover that I missed some code: do I need to rerun the entire analysis?

If you’ve discovered that some part of an application was overlooked or missed, all you need to do is to analyze that code then log back into CAST Highlight portal. You will simply add it as a component to its corresponding application and it will be aggregated into the quality and size results for that application.

Security of the Platform

What is ISO 27001 certification and is CAST Highlight certified?
ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. Certification requires providers to: Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities; Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks; and Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way. ISO 27001 certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the ISO 27001 certification standard.

The ISMS of the CAST’s cloud-based software analysis services has been certified ISO/IEC 27001:2013. In addition, CAST partners with Amazon Web Services (AWS), an ISO 27001 certified hosting provider, to ensure your data is secure in CAST Highlight. Our pursuit of ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard confirms that our security management program will be comprehensive and follow leading practices. This certification provides more clarity and assurance for customers evaluating the breadth and strength of our security practices. In the meantime, our partnership with Amazon provides secure solutions through a certified provider.

Where is CAST Highlight hosted?

Highlight is hosted on one of the most secure cloud infrastructures on earth, Amazon Cloud, which is certified by internationally recognized security norms (ISO-27001, SOC2).

Is my data secure?

As previously mentioned, with Highlight no source code is ever uploaded to the cloud, only encrypted analysis results are. That being said, CAST has passed one of the most demanding anti-intrusion tests. An isolated data set is created for each customer, and CAST itself has been certified ISO/IEC 27001:2013.

What kind of security is in place?
Who is the Amazon Web Services certifying agent?

It is EY CertifyPoint, an ISO certifying agent accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by EY CertifyPoint are recognized as valid certificates in all countries with an IAF member.

What is FedRAMP and why is it important in the US?

The Cloud First policy mandates that US federal agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.

Do Amazon Web Services meet FedRAMP requirements?

Yes, Amazon Web Services (AWS) is a FedRAMP Compliant Cloud Service Provider (CSP) with authorization packages that can be leveraged by any federal, state and local government. AWS has completed the testing performed by a FedRAMP-accredited Third Party Assessment Organization (3PAO) and has been granted two initial Agency Authority to Operate (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements. AWS’ compliance with FedRAMP requirements was achieved based on testing performed against the stringent set of FedRAMP requirements (NIST 800-53 Rev. 3 – Moderate baseline requirements, plus additional FedRAMP security controls). The AWS security assessment was performed by a FedRAMP-accredited 3PAO, Veris Group, LLC. The HHS authorization validates AWS’ security posture at the Moderate impact level to store, process, and protect a diverse array of sensitive government data. The assessment and associated ATOs have been registered in the FedRAMP repository and allow government agencies to evalute AWS’ security and the opportunity to store, process, and maintain a diverse array of sensitive government data within the AWS cloud. Subsequent to the initial Agency ATOs provided by HHS, additional agencies have granted AWS ATOs based on the documentation stored in the FedRAMP repository.

Are there U.S. government entities using Amazon Web Services now?

Yes, numerous government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of Amazon Web Services today.