Automatically detect and remediate security issues

Klocwork static analysis automates the detection of hundreds of different potential security vulnerabilities in software code while giving development teams a consistent, tool-based approach to identifying and remediating these issues. Klocwork actively supports secure coding initiatives, including MISRA, CWE, CERT, OWASP, DISA-STIG and SAMATE.

MISRA

MISRA coding standards have been adopted by industries developing safety-critical embedded software including automotive, telecom, aerospace, defense, and medical. Klocwork provides built-in, automated detection and reporting for MISRA-C:2004 and MISRA-C++:2008.

With Klocwork, MISRA coding standard violations can be reported automatically at the developer desktop, integration build, and peer code review.

Implement defect detection and enforce coding standards with Klocwork.


CERT Secure Coding Initiative

In association with the Software Engineering Institute (SEI) at Carnegie Mellon University, the CERT Secure Coding Initiative works with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed.

CERT identifies common programming errors that lead to software vulnerabilities, publishes secure coding standards, and educates software developers with the goal of advancing the state of the practice in secure coding. See the CERT website or our CERT Coding Standard page for specifics.


SAMATE

Software Assurance Metrics and Tool Evaluation (SAMATE) is sponsored by the U.S. Department of Homeland Security (DHS) National Cybersecurity Division and NIST. The objective of Part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness.

Common Weakness Enumeration (CWE™)

A MITRE Corporation initiative, CWE provides a unified, measurable set of software weaknesses enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems.

Klocwork has achieved the Certificate of Common Weakness Enumeration Compatibility, the highest level of CWE support offered.

Klocwork compliance with CWE Requirements:

  • CWE Output: All analysis results can be reported using CWE Identifiers
  • CWE Searchable: Product documentation provides searchable CWE identifiers
  • CWE Coverage: Coverage is available within Klocwork online product documentation


Defense Information Systems Agency (DISA)

Part of DISA's Information Assurance Support Environment, the Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

Our Klocwork checker library is mapped to the DISA STIG identifiers so customers can report against this requirement.


OWASP Top 10

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Read more about Klocwork support for OWASP Top 10 for 2010.