Common Weakness Enumeration (CWE)
As a community-developed list of software weakness types coordinated by MITRE, the CWE is helping to define and categorize the most common weaknesses affecting software security, including buffer overflows, format string vulnerabilities and un-validated user inputs.
Having declared Phase II compliance for the CWE standard, Klocwork Insight analysis results can now be reported using CWE identifiers and Klocwork's vulnerability documentation has been updated to include CWE identifiers. CWE categorization as part of Klocwork's products enables customers to report on any CWE violations in their code.
CERT Secure Coding Standards
The CERT Secure Coding initiative at the Carnegie Mellon Software Engineering Institute (SEI) is supporting the development of secure code by identifying common coding errors that produce vulnerabilities and establishing a set of secure coding standards for commonly used programming languages, including C, C++ and Java.
"The CERT standard was created to help developers build code that is robust and resistant to security attacks," says Robert C. Seacord, Secure Coding Team Lead, Software Engineering Institute. "An effective way to ensure adherence to the standard is through the use of source code analysis tools because they allow you to check for rule violations."
To help software developers take advantage of the guidelines and direction provided by the CERT initiative, Klocwork Insight analysis results and documentation reference the corresponding CERT standard violation.
Software Assurance Metrics and Tool Evaluation (SAMATE)
An inter-agency project between the U.S. Department of Homeland Security and the National Institute of Standards and Technology (NIST), the SAMATE project has developed a set of metrics to measure the effectiveness of software security assessment tools like source code analysis technology, and assesses those tools to help identify weaknesses that lead to software failure and security vulnerabilities.
Klocwork runs the SAMATE test suite as part of its standard benchmarking practices and maintains a pass rate of 90%.
"These latest product enhancements extend Klocwork's commitment to helping professional software developers produce the most secure software possible," says Alen Zukich, director of product management, Klocwork. "In collaboration with industry- and government-lead initiatives, Klocwork offers development organizations the ability to establish a single, consistent security policy across their software development lifecycle."
For a summary of Klocwork's support for these initiatives, visit Klocwork's code security web page.
About Klocwork Klocwork' source code analysis solutions boost the productivity of software development teams while helping to ensure code security, quality and stability of complex code bases. Through proven static analysis techniques, Klocwork removes bottlenecks at the earliest stages of the software development process and enables software developers to find critical security vulnerabilities, quality defects and architectural issues quickly and accurately. More than 650 organizations have achieved higher code security and quality with Klocwork.
Media Contact: Meranda Powers 1.866.556.2967 [email protected]