Compliance to CWE with the LDRA tool suite®
The CWE project (Common Weakness Enumeration) is an international community-developed formal list of common software weaknesses. CWE is a software assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. The CWE effort aims to help shape and mature the code security assessment industry and to dramatically accelerate the use and utility of software assurance capabilities for organisations in reviewing the software systems they acquire or develop.
CWE targets developers and security practitioners, and it is a formal list of software weakness types created to:
- Serve as a common language for describing software security weaknesses in architecture, design, or code
- Serve as a standard measuring stick for software security tools targeting these weaknesses.
- Provide a common baseline standard for weakness identification, mitigation, and prevention efforts
According to research directed by the National Institute of Security Technology, 64% of software vulnerabilities stem from programming errors. To help identify core weaknesses contributing to software vulnerabilities, MITRE Corporation, a public interest not-for-profit organisation, created the CWE list. MITRE manages several federally funded research and development centres, including one for the Department of Homeland Security which is mandated with developing the CWE project. CWE was created to address the concerns of organisations that want assurance that the software products they acquire and develop are free from known types of programming errors.
Software acquirers want assurance that the software products they are obtaining are reviewed for known types of security flaws. The acquisition groups in large government and private organisations are moving forward to use these types of reviews as part of future contracts. However, the tools and services that can be used for this type of review are new at best and there are no nomenclatures, taxonomies, or standards to define the capabilities and coverage of these tools and services. This makes it difficult to comparatively decide which tool/service is best suited for a particular job. What is needed is a standard list and classification of software security weaknesses to serve as a unifying language of discourse and a measuring stick for tools and services
CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard CWE's definitions and descriptions support the finding of these common types of software security flaws in code prior to fielding. This means both users and developers of software assurance tools and services now have a mechanism for describing each of the industry's software security flaw code assessment capabilities in terms of their coverage of the different CWEs. If necessary, CWE can also be scoped to specific languages, frameworks, platforms, and machine architectures.
LDRA tool suite highlights - CWE
LDRA, the leading provider of automated software verification, source code analysis, and test tools, has achieved Common Weakness Enumeration (CWE) Compatibility for the LDRA tool suite. The CWE project aims to better understand flaws in software and to create automated tools that can be used to identify, fix and prevent those flaws. CWE Compatibility confirms that the LDRA tool suite can identify common programming errors contributing to software containing potentially exploitable vulnerabilities.
CWE-Compatible Products and Services must meet the following criteria:
- CWE Searchable - Users may search security elements using CWE identifiers
- CWE Output - Security elements presented to users includes, or allows users to obtain, associated CWE identifiers
- Mapping Accuracy - Security elements accurately link to the appropriate CWE identifiers
- CWE Documentation - Capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
CWE Compatibility recognises the ability of LDRA's static and dynamic analysis tools, LDRA Testbed and TBvision, to assist companies in finding security flaws and weaknesses in code, aiding the development of secure software applications. LDRA achieved CWE Compatibility by accurately mapping the LDRA tool suite to the coding rules of CWE so that the LDRA tool suite can identify reference and document weaknesses within the code.
CWE establishes a list of software weaknesses that provides effective discussion, description, selection of the weaknesses as well as the use of software security tools and services that can find these weaknesses in source code and operational systems. CWE also seeks to better understand and manage software weaknesses at the architecture and design levels. LDRA has integrated the coding competencies that contribute to secure programming into the LDRA tool suite.