Security Coding Standards

Klocwork static analysis automates the detection of hundreds of different potential security vulnerabilities in software code while giving development teams a consistent, tool-based approach to identifying and remediating these issues. As part of its commitment to providing comprehensive security vulnerability analysis, Klocwork is actively supporting the following secure coding initiatives and where applicable, links to our checker documentation are included below.

MISRA

Originally intended to provide guidance to facilitate safe and reliable coding practices for the automotive industry, the Motor Industry Software Reliability Association (MISRA) coding standards have been adopted by many other industries developing safety-critical embedded software including telecom, aerospace, defense, and medical. Klocwork provides built-in, automated detection and reporting for MISRA-C:2004 and MISRA-C++:2008.

Using Klocwork Insight, MISRA coding standard violations can be reported automatically at the developer desktop, integration build, and through the Klocwork peer code review solution.

With Klocwork's technology, customers now have one tool that can be used to implement defect detection and coding standard enforcement.

Common Weakness Enumeration (CWE™)

A MITRE Corporation initiative, CWE provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems.

Klocwork has achieved the Certificate of Common Weakness Enumeration Compatibility, the highest level of CWE support offered.

Klocwork Insight's compliance with CWE Requirements is summarized as follows:

  • CWE Output: All analysis results can be reported using CWE Identifiers
  • CWE Searchable: Product documentation provides searchable CWE identifiers
  • CWE Coverage: Coverage is available within Klocwork's online product documentation

CERT Secure Coding Initiative

In association with the Software Engineering Institute (SEI) at Carnegie Mellon University, the CERT Secure Coding Initiative works with software developers and software development organizations to reduce vulnerabilities resulting from coding errors before they are deployed.

CERT identifies common programming errors that lead to software vulnerabilities, publishes secure coding standards, and educates software developers with the goal of advancing the state of the practice in secure coding. Klocwork's support for CERT standards can be found at the CERT website or Klocwork's CERT Coding Standard page.

Defense Information Systems Agency (DISA)

Part of DISA's Information Assurance Support Environment, the Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

Klocwork has mapped its checker library to the DISA STIG identifiers so customers can report against this requirement.

SAMATE

Software Assurance Metrics and Tool Evaluation (SAMATE) is sponsored by the U.S. Department of Homeland Security (DHS) National Cybersecurity Division and NIST. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness.

OWASP Top 10

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Read more about Klocwork's support for OWASP Top 10 for 2010.

In this section

Relevant Resources

WHITEPAPER: Software on Wheels

Millions of lines of software code are driving the latest innovations in today's vehicles. However, with software-driven innovation comes the reality of coding defects, failures and the potential to become a target for hackers. This paper outlines three important steps that embedded automotive software teams[...]

WEBINAR: Three Strategies To Reduce Software Development Risk

Developing software for mission-critical applications such as military, aerospace, and medical devices requires aggressive strategies for reducing risk throughout the development lifecycle. This brief webinar looks at three crucial components of an effective risk management strategy [...]

WHITEPAPER: Threat Modeling for Secure Embedded Software

As embedded software becomes more mobile and connected, organizations must take additional steps to ensure their code is secure. To achieve this and combat ever-changing security threats, software engineering teams need to incorporate threat modeling, combined with updated tools and processes into their development[...]