Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/23/2010
10:57 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Klocwork Enhances Vulnerability Analysis

Integrated support for CWE, CERT and SAMATE initiatives helps developers eliminate exploitable security issues

BURLINGTON, Mass. " March 23, 2010 " Klocwork, Inc., the global leader in automated source code analysis solutions for improving developer productivity, today announced the enhancement of its security vulnerability analysis capabilities with support for the Common Weakness Enumeration (CWE), the CERT Secure Coding Initiative, and the Software Assurance Metrics and Tool Evaluation (SAMATE) project. Integrated support for these initiatives ensures Klocwork's security reporting features align with industry and government best practices for identifying, understanding, and remediating security coding issues.

Common Weakness Enumeration (CWE)

As a community-developed list of software weakness types coordinated by MITRE, the CWE is helping to define and categorize the most common weaknesses affecting software security, including buffer overflows, format string vulnerabilities and un-validated user inputs.

Having declared Phase II compliance for the CWE standard, Klocwork Insight analysis results can now be reported using CWE identifiers and Klocwork's vulnerability documentation has been updated to include CWE identifiers. CWE categorization as part of Klocwork's products enables customers to report on any CWE violations in their code.

CERT Secure Coding Standards

The CERT Secure Coding initiative at the Carnegie Mellon Software Engineering Institute (SEI) is supporting the development of secure code by identifying common coding errors that produce vulnerabilities and establishing a set of secure coding standards for commonly used programming languages, including C, C++ and Java.

"The CERT standard was created to help developers build code that is robust and resistant to security attacks," says Robert C. Seacord, Secure Coding Team Lead, Software Engineering Institute. "An effective way to ensure adherence to the standard is through the use of source code analysis tools because they allow you to check for rule violations."

To help software developers take advantage of the guidelines and direction provided by the CERT initiative, Klocwork Insight analysis results and documentation reference the corresponding CERT standard violation.

Software Assurance Metrics and Tool Evaluation (SAMATE)

An inter-agency project between the U.S. Department of Homeland Security and the National Institute of Standards and Technology (NIST), the SAMATE project has developed a set of metrics to measure the effectiveness of software security assessment tools like source code analysis technology, and assesses those tools to help identify weaknesses that lead to software failure and security vulnerabilities.

Klocwork runs the SAMATE test suite as part of its standard benchmarking practices and maintains a pass rate of 90%.

"These latest product enhancements extend Klocwork's commitment to helping professional software developers produce the most secure software possible," says Alen Zukich, director of product management, Klocwork. "In collaboration with industry- and government-lead initiatives, Klocwork offers development organizations the ability to establish a single, consistent security policy across their software development lifecycle."

For a summary of Klocwork's support for these initiatives, visit Klocwork's code security web page.

About Klocwork Klocwork' source code analysis solutions boost the productivity of software development teams while helping to ensure code security, quality and stability of complex code bases. Through proven static analysis techniques, Klocwork removes bottlenecks at the earliest stages of the software development process and enables software developers to find critical security vulnerabilities, quality defects and architectural issues quickly and accurately. More than 650 organizations have achieved higher code security and quality with Klocwork.

Media Contact: Meranda Powers 1.866.556.2967 [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4682
PUBLISHED: 2021-01-28
IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVE-2020-4888
PUBLISHED: 2021-01-28
IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker co...
CVE-2020-13569
PUBLISHED: 2021-01-28
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can...
CVE-2021-20620
PUBLISHED: 2021-01-28
Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2021-20621
PUBLISHED: 2021-01-28
Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.