Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/23/2010
10:57 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Klocwork Enhances Vulnerability Analysis

Integrated support for CWE, CERT and SAMATE initiatives helps developers eliminate exploitable security issues

BURLINGTON, Mass. " March 23, 2010 " Klocwork, Inc., the global leader in automated source code analysis solutions for improving developer productivity, today announced the enhancement of its security vulnerability analysis capabilities with support for the Common Weakness Enumeration (CWE), the CERT Secure Coding Initiative, and the Software Assurance Metrics and Tool Evaluation (SAMATE) project. Integrated support for these initiatives ensures Klocwork's security reporting features align with industry and government best practices for identifying, understanding, and remediating security coding issues.

Common Weakness Enumeration (CWE)

As a community-developed list of software weakness types coordinated by MITRE, the CWE is helping to define and categorize the most common weaknesses affecting software security, including buffer overflows, format string vulnerabilities and un-validated user inputs.

Having declared Phase II compliance for the CWE standard, Klocwork Insight analysis results can now be reported using CWE identifiers and Klocwork's vulnerability documentation has been updated to include CWE identifiers. CWE categorization as part of Klocwork's products enables customers to report on any CWE violations in their code.

CERT Secure Coding Standards

The CERT Secure Coding initiative at the Carnegie Mellon Software Engineering Institute (SEI) is supporting the development of secure code by identifying common coding errors that produce vulnerabilities and establishing a set of secure coding standards for commonly used programming languages, including C, C++ and Java.

"The CERT standard was created to help developers build code that is robust and resistant to security attacks," says Robert C. Seacord, Secure Coding Team Lead, Software Engineering Institute. "An effective way to ensure adherence to the standard is through the use of source code analysis tools because they allow you to check for rule violations."

To help software developers take advantage of the guidelines and direction provided by the CERT initiative, Klocwork Insight analysis results and documentation reference the corresponding CERT standard violation.

Software Assurance Metrics and Tool Evaluation (SAMATE)

An inter-agency project between the U.S. Department of Homeland Security and the National Institute of Standards and Technology (NIST), the SAMATE project has developed a set of metrics to measure the effectiveness of software security assessment tools like source code analysis technology, and assesses those tools to help identify weaknesses that lead to software failure and security vulnerabilities.

Klocwork runs the SAMATE test suite as part of its standard benchmarking practices and maintains a pass rate of 90%.

"These latest product enhancements extend Klocwork's commitment to helping professional software developers produce the most secure software possible," says Alen Zukich, director of product management, Klocwork. "In collaboration with industry- and government-lead initiatives, Klocwork offers development organizations the ability to establish a single, consistent security policy across their software development lifecycle."

For a summary of Klocwork's support for these initiatives, visit Klocwork's code security web page.

About Klocwork Klocwork' source code analysis solutions boost the productivity of software development teams while helping to ensure code security, quality and stability of complex code bases. Through proven static analysis techniques, Klocwork removes bottlenecks at the earliest stages of the software development process and enables software developers to find critical security vulnerabilities, quality defects and architectural issues quickly and accurately. More than 650 organizations have achieved higher code security and quality with Klocwork.

Media Contact: Meranda Powers 1.866.556.2967 [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...