Support for Brand New 2019 CWE Guidelines

by Josh Holmes · February 19, 2020

Parasoft is first-to-market with full support and compliance reporting for the updated security rule mappings from MITRE

Parasoft, the global leader in automated software testing, offers complete support for the newly updated 2019 Common Weakness Enumeration (CWE) Top 25 and “On the Cusp” (an additional 15 weaknesses) for C, C++, Java, and .NET languages. With the latest releases of their software testing products Parasoft Jtest, Parasoft dotTEST, and Parasoft C/C++test, Parasoft is the only vendor to cover all of these critical security guidelines, enabling organizations to achieve continuous security and compliance to prevent the most dangerous of software errors.

Parasoft’s CWE Compliance Packs for C/C++, Java, and .NET provide pre-configured, out-of-the-box, and fully customizable test configurations and reporting for the CWE Top 25 and CWE CUSP security standards. The solution is certified CWE-Compatible, so users can easily understand which static analysis checker is associated with which CWE item during configuration, remediation, and reporting. With Parasoft’s unique CWE-centric model, all the checkers are named based on the associated CWE ID, removing the need for time-consuming mapping when configuring, reporting, and remediating issues. The unique real-time feedback gives users a continuous view of compliance with the CWE, by providing interactive compliance dashboards, widgets, and reports that have the CWE risk technical impact implemented right within the dashboard itself.

“The additional information provided in the 2019 update will help organizations objectively understand which items are likely to cause the most harm, making the 2019 CWE Top 25 and ‘On the Cusp’ more effective for cybersecurity,” explained Arthur Hicken, security expert at Parasoft. “Using a SAST tool that covers the entirety of these two lists will help ensure that your software is as secure as possible. Parasoft’s complete CWE support and powerful reporting and analytics system helps our customers not only catch security vulnerabilities before they release, but address core root-cause security problems to harden the code.”

Establish, Apply, and Monitor Adherence to Policies

Parasoft’s policy-driven approach defines the organization’s expectations around quality while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability. With the out-of-the-box CWE mappings users no longer have to waste time trying to figure out what checkers are for which CWEs when configuring, and when fixing, they will always inherently know which CWE being worked on because the static analysis checker names tell them. For auditing and reports, Parasoft shows exactly which rules are covered by each checker, including a full set of PDF files showing compliance plan and deviation reports – but as the names are the same as CWE users almost don’t need the compliance plan.

Secure application development beyond static analysis

Truly secure application development requires that testing involve a mixture of test and analysis methods applied throughout the SDLC (software development lifecycle), and also that a broad set of software lifecycle management and vulnerability/risk management activities be integrated across the process to ensure the delivery of secure and reliable software. With its application security solution Parasoft addresses both of these expectations. This integrated system extends Parasoft’s static analysis capabilities – providing a pre-configured system with processes and best practices that help organizations produce secure applications consistently and efficiently.

Out-of-the-box static analysis configurations for CWE

Unlike other static analysis vendors, Parasoft provides out-of-the-box policy/test configurations that are fully configurable and can be executed from within the IDE and via the CI/CD process to help quickly locate vulnerabilities earlier in the software development process.

Monitoring CWE Compliance Status

Parasoft provides a unique view of compliance status, by providing interactive compliance dashboards, widgets, and reports that have the PCI DSS risk assessment framework implemented right within the dashboard itself.

The data-driven reporting system helps to easily identify the most important issues out of the pool of possible problems which might occur, while enabling to input from any Parasoft tools automatically as well as a host of other tools (both commercial and open source). It also has open REST APIs for both input and output, so it is easy to integrate it into existing build and developments systems, as well as software accounting systems of record for auditing.

Parasoft offers Industry leading support for secure coding standards.

The Report Center and its checker names, dashboards, and reports use the CWE naming convention to make conformance and auditing easier and help developers focus on the most critical violations.