Solutions - Security Coding Standards

Klocwork static analysis automates the detection of hundreds of different potential security vulnerabilities in software code while giving development teams a consistent, tool-based approach to identifying and remediating these issues. As part of its commitment to providing comprehensive security vulnerability analysis, Klocwork is actively supporting the following secure coding initiatives and where applicable, links to our checker documentation are included below.

Common Weakness Enumeration (CWE)

A MITRE initiative, CWE provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems.

Klocwork has successfully fulfilled the requirements for Phase II of the Compatibility and Effectiveness Program and has been declared CWE Compatible by The MITRE Corporation. Klocwork Insight's compliance is summarized in the table below.

RequirementCWE DeclarationDescription
CWE OutputYesAll Klocwork analysis results can be reported using CWE identifiers
CWE SearchableYesKlocwork product documentation provides searchable CWE identifiers
CWE CoverageYesKlocwork's CWE coverage is available within Klocwork's online product documentation.

CERT Secure Coding Standards

In association with the Software Engineering Institute (SEI) at Carnegie Mellon University, the CERT Secure Coding Initiative works with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed.

CERT identifies common programming errors that lead to software vulnerabilities, publishes secure coding standards, and educates software developers with the goal of advancing the state of the practice in secure coding. Klocwork's support for CERT standards can be found at the CERT website or Klocwork's CERT Coding Standard page.

SAMATE

Software Assurance Metrics and Tool Evaluation (SAMATE) is sponsored by the U.S. Department of Homeland Security (DHS) National Cybersecurity Division and NIST. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness.

Defense Information Systems Agency (DISA)

Part of DISA's Information Assurance Support Environment, the Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

Klocwork has mapped its checker library to the DISA STIG identifiers so customers can report against this requirement.



OWASP Top 10

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Read more about Klocwork' s support for OWASP Top 10 for 2010.

Free Trial

In this section

Relevant Reads

WHITEPAPER: Source Code Analysis in an Agile World

To keep pace with ever-increasing customer demands on software functionality and time-to-market expectations, software developers have had to evolve the way they develop code to be both faster and higher quality. [...]

WHITEPAPER: The Next Generation Source Code Analysis

Automated source code analysis (SCA) technology locates and describes critical bugs and security vulnerabilities in software source code. [...]