Klocwork, Inc., the global leader in automated source code analysis solutions for improving developer productivity, today announced the enhancement of its security vulnerability analysis capabilities with support for the Common Weakness Enumeration™ (CWE), the CERT Secure Coding Initiative, and the Software Assurance Metrics and Tool Evaluation (SAMATE) project. Integrated support for these initiatives ensures Klocwork’s security reporting features align with industry and government best practices for identifying, understanding, and remediating security coding issues.
Common Weakness Enumeration (CWE)
As a community-developed list of software weakness types coordinated by MITRE, the CWE is helping to define and categorize the most common weaknesses affecting software security, including buffer overflows, format string vulnerabilities and un-validated user inputs.
Having declared Phase II compliance for the CWE standard, Klocwork Insight analysis results can now be reported using CWE identifiers and Klocwork’s vulnerability documentation has been updated to include CWE identifiers. CWE categorization as part of Klocwork’s products enables customers to report on any CWE violations in their code.
CERT Secure Coding Standards
The CERT Secure Coding initiative at the Carnegie Mellon Software Engineering Institute (SEI) is supporting the development of secure code by identifying common coding errors that produce vulnerabilities and establishing a set of secure coding standards for commonly used programming languages, including C, C++ and Java.
“The CERT standard was created to help developers build code that is robust and resistant to security attacks,” says Robert C. Seacord, Secure Coding Team Lead, Software Engineering Institute. “An effective way to ensure adherence to the standard is through the use of source code analysis tools because they allow you to check for rule violations.”
To help software developers take advantage of the guidelines and direction provided by the CERT initiative, Klocwork Insight analysis results and documentation reference the corresponding CERT standard violation.
Software Assurance Metrics and Tool Evaluation (SAMATE)
An inter-agency project between the U.S. Department of Homeland Security and the National Institute of Standards and Technology (NIST), the SAMATE project has developed a set of metrics to measure the effectiveness of software security assessment tools like source code analysis technology, and assesses those tools to help identify weaknesses that lead to software failure and security vulnerabilities.
Klocwork runs the SAMATE test suite as part of its standard benchmarking practices and maintains a pass rate of 90%.
“These latest product enhancements extend Klocwork’s commitment to helping professional software developers produce the most secure software possible,” says Alen Zukich, director of product management, Klocwork. “In collaboration with industry- and government-lead initiatives, Klocwork offers development organizations the ability to establish a single, consistent security policy across their software development lifecycle.”
For a summary of Klocwork’s support for these initiatives, visit Klocwork’s code security web page.
Klocwork® source code analysis solutions boost the productivity of software development teams while helping to ensure code security, quality and stability of complex code bases. Through proven static analysis techniques, Klocwork removes bottlenecks at the earliest stages of the software development process and enables software developers to find critical security vulnerabilities, quality defects and architectural issues quickly and accurately. More than 650 organizations have achieved higher code security and quality with Klocwork.