CWE Compliance with Parasoft

Try Parasoft

CWE

What is the CWE Top 25?

CWE (Common Weakness Enumeration) is a comprehensive list of over 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities – more than just the Top 25. The CWE/SANS Top 25 Most Dangerous Software Errors is a shortened list of the most widespread and critical errors that can lead to serious vulnerabilities in software, that are often easy to find and exploit. These are the most dangerous weaknesses because they enable attackers to completely take over the software, steal data, or prevent the software from working at all.

Enforcing CWE Compliance with Static Analysis

Parasoft is certified CWE-Compatible, which means that Parasoft users can easily understand which static analysis checker is associated with which CWE during configuration, remediation, and reporting. Because of Parasoft's CWE-centric approach, you don’t actually have to do anything special – just fix the violations and automatically generate what you need for compliance. Parasoft has also assisted prioritization (triage) and audit (suppress) activities by incorporating the CWE technical impact into the analytics hub.

As shown to the right, Parasoft's unique realtime feedback gives users a continuous view of compliance with the CWE, by providing interactive compliance dashboards, widgets, and reports that have the CWE risk assessment framework implemented right within the dashboard itself.

How Parasoft Helps Achieve CWE Compliance

Parasoft users can leverage Parasoft's static code analysis products for C/C++, Java and .NET to reduce the cost of achieving CWE compliance and save time and effort.

Parasoft supports CWE guidelines with dedicated code analysis configurations that map to best practices outlined in the standard. Parasoft supports Mitre’s Common Weakness Enumeration (CWE) for C, C++, Java, and .net languages – the linked PDFs show how Parasoft’s static analysis rules map to the CWE:

Establish, Apply, and Monitor Adherence to Policies

Parasoft’s policy-driven approach defines the organization’s expectations around quality while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability.

Parasoft's out-of-the-box CWE mappings mean that users don’t have to waste time trying to figure out what checkers are for which CWEs when configuring, and when fixing, users will always inherently know which CWE being worked on because the static analysis checker names tell you.

For auditing and reports, Parasoft shows exactly which rules are covered by each checker, including a full set of PDF files showing compliance plan and deviation reports – but you almost don’t need the compliance plan, because the names are the same as CWE.

Secure application development involves more than static analysis. Truly secure application development requires that testing involve a mixture of test and analysis methods applied throughout the SDLC, and also that a broad set of software lifecycle management and vulnerability/risk management activities be integrated across the process to ensure the delivery of secure and reliable software.

Parasoft addresses both of these expectations with its Application Security solution. This integrated system extends Parasoft’s static analysis capabilities—providing a pre-configured system with processes and best practices that help organizations produce secure applications consistently and efficiently.

Unlike other static analysis vendors, Parasoft provides out-of-the-box policy/test configurations that are fully configurable and can be executed from within the IDE and via the CI/CD process to help quickly locate vulnerabilities earlier in the software development process.

Parasoft provides a unique view of compliance status, by providing interactive compliance dashboards, widgets, and reports that have the PCI DSS risk assessment framework implemented right within the dashboard itself.

Parasoft's data-driven reporting system helps you easily identify the most important issues out of the pool of possible problems you have, while enabling you to input from any Parasoft tools automatically as well as a host of other tools (both commercial and open source). It also has open REST APIs for both input and output, so you can easily integrate it into your build and developments systems, as well as software accounting systems of record for auditing.

CWE Compliance with Parasoft
Relevant Resource

Embedded Cybersecurity Through Secure Coding Standards CWE and CERT

Learn more about how to achieve software security with a rigorous standards-based development process.