Table of Contents |
---|
Introduction
CWE™(Common Weakness Enumeration) aims to provide a common base to identify the type of software weakness (vulnerability).. International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code. CWE™ gives a hierarchically structured list of weakness types to help identifying software vulnerabilities that come in a wide variety, such as SQL injection, cross-site scripting and buffer overflow.
CWE Compatible Certification
...
Security Reviewer provides a consistent number of CWE 4.6 rules designed for detecting vulnerabilities inside source code. Each rule defines up to 12 variants and up to 50 API on which will applied, ande has its own CWE™ Identifier and Description, with related MITRE™ web site link, on which you can do a Search:
...
You Export the rules list in Excel CSV format with CWE™ details:
...
CWE™ Ruleset
You can execute the Static Analysis with CWE™ and CWE™ SANS Top 25 ruleset:
...
CWE™ Results
After Static Analysis Completion, even you chose a different RuleSet, each vulnerability detected has always its own CWE™ ID with the related web link:
...
In the Static Analysis Reports, each rule's violation shows the related clickable CWE™ ID:
...
CWE™ Capabilities
Requirement | Capability | Fulfillment Method |
CWE | Security, Dead code, Best practices Rules, Analysis Results and Reports | By using the search function in Security Reviewer, the vulnerability countermeasure information database, users are able to conduct a search using CWE identifiers as the keyword. |
CWE | Analysis Results | CWE identifiers are displayed in the “Results” section within each vulnerability countermeasure information pages. |
Reports | CWE identifier is displayed in the “Violations” section of the detailed information window of each vulnerability countermeasure information. | |
CWE | Security Reviewer Knowledge Center, User Guide | This material document will become the documentation necessary to describe and demonstrate CWE, CWE association and methods used to satisfy the compatibility requirements. |
Mapping | Security, Dead code, Best practices Rules, Analysis Results and Reports | Security Reviewer supports many of CWE 4.4 IDs related to Static Analysis |
Supported CWE™ per Programming Language (Tiobe Index Top 10)
...
(*6)WASC: Web Application Security Consortium is a non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
(*7)TIOBE: The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors.
https://www.tiobe.com/tiobe-index/
COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.