Frequently Asked Questions

General Questions
How frequently should I analyze my application portfolio with CAST Highlight?

It is recommended to run a snapshot of CAST Highlight every quarter in order to see how your portfolio is trending over time. However, Highlight provides a scriptable command line which helps you automate the code scan integration within your CI/CD environment.

Can I get access to the raw data provided by CAST Highlight?

The results of CAST Highlight’s application portfolio analysis can be viewed through CAST Highlight’s online interactive portal. You can also export all raw data into an XML or Excel file, making it easy for you to integrate CAST Highlight’s IT portfolio metrics into your existing reporting tools.

Which technologies does CAST Highlight support?

Highlight supports 40+ technologies. Java, COBOL, SAP (Abap), C/C++, C#, Objective-C, PHP, Javascript, Python, JSP, Oracle PL/SQL, Microsoft Transact-SQL, Visual Basic, VB.Net, VB6, PL1 and Shell/BASH scripts.

Highlight also detects and scans these technologies to compute sizing metrics (total files, lines of code, back-fired function points): Ruby, Scala, Ada, Go, Groovy, Fortran, Typescript, Coffeescript, Assembler, Perl, Delphi, Lua, Rust, Coldfusion, Erlang, REXX, F#, Lisp, SmallTalk, Matlab, R.

For Cloud readiness assessment, Highlight supports Java, C#, VB/VB.Net, PHP and Python (Javascript coming soon).

How long does it take to analyze an application?

The Local Agent scans code quickly. It takes less than 5 minutes to analyze a normal-sized application of 150,000 lines of code (LOC) in Java. A large application of 1M LOC can be analyzed in less than an hour. Found something slow during the scan? Contact our product team, we love to continuously improve our analyzers.

What are the hardware/software requirements to scan my source code with the Local Agent?

  • Microsoft Windows Operating System superior or equal to XP
  • Chrome (highly recommended for better experience), Microsoft Internet Explorer 11 or higher (not to be used in compatibility mode); Firefox ESR
  • Local Agent Install/Scan: 300MB free disk space, 4GB memory
  • Source code is available and stored in text files accessible from a Windows machine

Which operating systems and browsers are supported by CAST Highlight?

The CAST Highlight portal is compatible with Internet Explorer 11 or higher; Firefox ESR or higher; Safari 5.1.7 or higher; and all versions of Chrome. The portal is accessible on desktops, tablets and smartphones. The CAST Highlight Local Agent is compatible with Windows XP or higher and can be run on desktops.

Is it possible to put CAST Highlight on my server?

No, we’re a SaaS product. Highlight is only deployed, managed, secured and supported by CAST. One of the great advantages of this model is that there is no infrastructure cost or upgrade effort.

Does source code leave my infrastructure?

Never. We make the agent available to you so that the analysis could be performed wherever your code may exist. The only information that is exchanged between our clients and us is the information you provide as part of the portfolio analysis survey and the output of the code quality analysis. CAST Highlight generates a .csv file that consists of three segments; Output File Attributes, Section Attributes and the File attributes. Please note that customer data is not sent over the internet either by e-mail or via other internet protocols. The result of the code-level analysis performed by CAST Highlight on the Client infrastructure is uploaded to the website through https and encrypted using a 256-bit encryption mechanism.The Output File Attributes identifies the version of the analyzed application, the version of the analyzer and the type of analyzer by language. It also provides the file name and date the analysis was performed. The section data defines the file structure for the specific analyzer along with additional analyzer attributes. The File Attributes are a summary that is generated for each file analyzed.

Does CAST Highlight connect to my software configuration systems?

Not currently. We are investigating that option for the future. If you have a specific system in mind please let us know. However, Highlight comes with a scriptable command line which can easily be integrated within your CI/CD environment. In addition, during the first scan of an application, the Highlight Agent captures configurations you made (exclusion of certain technologies, folders or files) that make you save time for future scans of a same application.

Can I add team members or colleagues to my CAST Highlight account?

Yes, you can add as many team members to participate as you wish. Simply select Add Member from the Plan page. You will need to provide their email address and CAST Highlight will send them an invitation to join. Three user roles are available: Portfolio Manager (can create, edit, delete applications, scan results and campaigns, invite users, etc.), Contributors (can upload code scan results, answer the application survey and see analytics and dashboards for their applications) and Viewers (can only see application portfolio analytics and dashboards).

I cannot see the analyses in the CAST Highlight portal?

Each user of CAST Highlight is attributed a specific role. Some roles have limited viewing rights. Please check with your CAST Highlight Administrator at your company for the type of access rights you have. Not sure who your Administrator is? Contact us.

Indicators & Methodology
How is each of the CAST Highlight health factor indicators derived?

Each of these software health indicators is a simple aggregation of specific patterns. Each file is given an optional score to start, and as a pattern is detected, Highlight decrements the score. Once the agent has finished analyzing a file, it calculates how many points were decremented from the ideal score and determines its score. For example, if a file loses 25% of its score, it will be classified in the green (high quality). If a file loses 50% of its points, it will be categorized in the orange (medium quality). A file that loses 75% or more of its points will be classified in the red (low quality). This method is applied by each health area to provide scoring per software health indicator.

What is a Code Insight?

Code Insights are symptoms of your code that possibly indicate a deeper problem. CAST Highlight automatically detects these code insight to help put together the software health indicators. Code insights are not necessarily problems themselves. For example, long methods are often a symptom of mismanaged object responsibilities that require changes to the domain model. Simply splitting up the long method into smaller methods is not always the way to go.

Where do CAST Highlight’s application benchmarks come from? How do I interpret the benchmark scores?

Our benchmark data aggregates the averages from all applications that have been analyzed in CAST Highlight. CAST Highlight has analyzed over 650 million lines of code from 1,200+ applications. Our benchmarks are based on statistic quartiles. If for a given application the software health indicator is in the 1st quartile, then the app scored in the upper 25%, indicating a higher software health distribution compared to other applications. If the software health indicator is in the 4th quartile, then the app scored in the lower 25%, indicating a lower software health distribution compared to others.

What is Software Resiliency?

Software Resiliency indicates programming best practices that make software bullet-proof, more robust and secure. This index is derived through technology-specific code analysis that searches for the presence of code patterns that may comprise the reliability of the software at short term. For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Software Agility?

Software Agility indicates the easiness of a development team to understand and maintain an application. This index is derived through technology-specific code analysis that searches for the presence of embedded documentation and code readability good practices. 

For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Software Elegance?

Software Elegance measures the ability to deliver software value with less code complexity. A low Software Elegance score indicates decreased quality in the code resulting in higher defects that become costly to fix at mid-term.

For more detailed information about this indicator, please visit our dedicated page in our Indicator & Methodology section.

What is Cloud Readiness?

In Highlight, cloud readiness of an application is measured by the CloudReady index. This indicator assess the software & organization characteristics that can slow or speed a PaaS migration.

For more detailed information about this indicator, please visit our dedicated page.

How does CAST Highlight calculate an application’s Business Impact?

The Business Impact Index measures the criticality of an application to your company’s business. The index is derived through specific online survey questions concerning application impact on the business.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

Do you detect framework and library usage within applications?

Yes. During code scan of your applications, Highlight automatically detects usage of hundreds of frameworks and libraries to aggregate this data into your Highlight dashboards.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

How the Software Maintenance Effort is calculated?

Based on COCOMO II (Constructive Cost Model – Post Architecture), the Software Maintenance Effort calculated by Highlight estimates the ideal level of effort in order to maintain an application in good operational conditions, expressed in FTE (Full-Time Equivalent). This indicator is derived both from the Software Maintenance survey and the software quality analysis which are computed during the source code scan.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

What are Backfired Function Points and how are they calculated?

Back-Fired Function Points (BFP) estimate the number of function points of an application. This code-derived metric is based on the lines of code, weighted by an abacus for a given technology.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

What is Technical Debt?

The term “Technical Debt”, first defined by Ward Cunningham, is having a renaissance. A wide variety of ways to define and calculate Technical Debt are emerging. Technical Debt represents the effort required to fix problems that remain in the code when an application is released. It is an emerging concept, and little reference data regarding the metaphor is available in a typical application.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

How does CAST Highlight estimate Technical Debt?

For each code base, CAST Highlight calculates a risk index based on the density of patterns identified. This risk index is used to adjust Appmarq‘s benchmark repository on technical debt per line of code value per technology.

For more detailed information about Highlight indicators, please visit our Indicator & Methodology section.

Does CAST Highlight interface with source code configuration management tools?

CAST Highlight does not interface with source code configuration management tools. Therefore, your source code must be extracted from your SCM system and placed into a folder that can be accessed by our agent.

How do I analyze database code with CAST Highlight?

If you are going to analyze database code then you need to extract information from your database. CAST employs tools to extract the table/program data into a format that can be read by the agent.

For more detailed information about the tools Highlight can leverage to help you extract source code, please visit our Tutorial & Tools section.

How do I analyze SAP code with CAST Highlight?

If you are going to analyze ABAP client code and want to identify links to SAP tables/programs, then you need to extract information from your SAP system. Because CAST Highlight cannot connect directly to the SAP tables to determine link information, Highlight leverages third-party tools to extract the table/program data into a format that can be read by the Local Agent.

For more detailed information about the tools Highlight can leverage to help you extract source code, please visit our Tutorial & Tools section.

What happens to the files that have extension that CAST Highlight does not recognize?

For technologies allowing files without extensions (typically COBOL), the Local Agent will scan the first lines of code looking for known keywords for a given technology (eg: PERFORM, MOVE, etc.), and will associate the file to the detected technology. However, in order to accurately configure your code scans, you can manually “force” a technology for a set of files or folders from the Agent. Then, the corresponding files will scanned with the analyzer you’ve selected.

For more detailed information on how to use Highlight, please visit our Tutorial & Tools section.

What if I discover that I missed some code: do I need to rerun the entire analysis?

If you’ve discovered that some part of an application was overlooked or missed, all you need to do is to analyze that code then log back into CAST Highlight portal. You will simply add it as a component to its corresponding application and it will be aggregated into the quality and size results for that application.

For more detailed information on how to use Highlight, please visit our Tutorial & Tools section.

Security of the Platform
Is my data secure?

Absolutely.  With Highlight, no source code is ever uploaded to the cloud – only encrypted analysis results are.  CAST has passed one of the most demanding anti-intrusion tests, and Highlight has been certified ISO/IEC 27001:2013 (download the certificate).

What kind of security is in place?

You can read CAST’s security information and privacy policy.

Where is CAST Highlight hosted?

Highlight is hosted on both AWS and Microsoft Azure.

What is ISO 27001 certification and is CAST Highlight certified?

ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. Certification requires providers to: Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities; Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks; and Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way. ISO 27001 certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the ISO 27001 certification standard.

The ISMS of the CAST’s cloud-based software analysis services has been certified ISO/IEC 27001:2013. In addition, CAST partners with Amazon Web Services (AWS), an ISO 27001 certified hosting provider, to ensure your data is secure in CAST Highlight. Our pursuit of ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard confirms that our security management program will be comprehensive and follow leading practices. This certification provides more clarity and assurance for customers evaluating the breadth and strength of our security practices. In the meantime, our partnership with Amazon provides secure solutions through a certified provider.

Who is the Amazon Web Services certifying agent?

It is EY CertifyPoint, an ISO certifying agent accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by EY CertifyPoint are recognized as valid certificates in all countries with an IAF member.

What is FedRAMP and why is it important in the US?

The Cloud First policy mandates that US federal agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.

Do AWS meet FedRAMP requirements?

Yes, Amazon Web Services (AWS) is a FedRAMP Compliant Cloud Service Provider (CSP) with authorization packages that can be leveraged by any federal, state and local government. AWS has completed the testing performed by a FedRAMP-accredited Third Party Assessment Organization (3PAO) and has been granted two initial Agency Authority to Operate (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements. AWS’ compliance with FedRAMP requirements was achieved based on testing performed against the stringent set of FedRAMP requirements (NIST 800-53 Rev. 3 – Moderate baseline requirements, plus additional FedRAMP security controls). The AWS security assessment was performed by a FedRAMP-accredited 3PAO, Veris Group, LLC. The HHS authorization validates AWS’ security posture at the Moderate impact level to store, process, and protect a diverse array of sensitive government data. The assessment and associated ATOs have been registered in the FedRAMP repository and allow government agencies to evalute AWS’ security and the opportunity to store, process, and maintain a diverse array of sensitive government data within the AWS cloud. Subsequent to the initial Agency ATOs provided by HHS, additional agencies have granted AWS ATOs based on the documentation stored in the FedRAMP repository.

Are there U.S. government entities using Amazon Web Services now?

Yes, numerous government agencies and other entities that provide systems integration and other products and services to governmental agencies are using the wide-range of Amazon Web Services today.