CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > Compatibility > CWE-Compatible Products and Services  

Name of Your Organization:

Veracode, Inc.

Web Site:

http://veracode.com

Compatible Capability:

Veracode Static Analysis

Capability home page:

https://analysiscenter.veracode.com/

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Veracode provides automated static and dynamic application security testing software and remediation services, delivered via a cloud-based platform.

Mapping Questions

Map Currency Indication <CR_6.1>

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):

As part of our 2012.2 release on February 29, 2012, the following text will be added to the Help Center on the Veracode platform, on the page entitled “Veracode and the CWE”:

Veracode always uses the latest version of the CWE, and updates to new versions within 90 days of release.

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

All Veracode findings are mapped to CWE categories. We revisit our mappings with every new CWE release, with any changes incorporated into the subsequent Veracode platform release.

MAP CURRENCY UPDATE TIME <CR_6.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CWE content (required):

As part of our 2012.2 release on February 29, 2012, the following text will be added to the Help Center on the Veracode platform, on the page entitled “Veracode and the CWE”:

Veracode always uses the latest version of the CWE, and updates to new versions within 90 days of release.

Documentation Questions

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

Every Veracode report includes, in the Scoring Methodology section, a description of how CWE is factored into application scoring:

The Veracode scoring system, Security Quality Score, is built on the foundation of two industry standards, the Common Weakness Enumeration (CWE) and Common Vulnerability Scoring System (CVSS). CWE provides the dictionary of security flaws and CVSS provides the foundation for computing severity, based on the potential Confidentiality, Integrity and Availability impact of a flaw if exploited.

There is also a section describing how every flaw is classified using CWE.

The Common Weakness Enumeration (CWE) is an industry standard classification of types of software weaknesses, or flaws, that can lead to security problems. CWE is widely used to provide a standard taxonomy of software errors. Every flaw in a Veracode report is classified according to a standard CWE identifier.

More guidance and background about the CWE is available at http://cwe.mitre.org/data/index.html.

Finally, within the Veracode platform, every flaw is directly linked to the CWE website for users to obtain more detailed information about the CWE category itself. Refer to Question 8 for more details.

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability's repository (required):

Use one or more criteria

In some cases, you may want to review a specific subset of your application's flaws:

  • Flaws in a particular module or source file, or on a particular line number
  • Flaws in a particular category (e.g., Cross-Site Scripting) or CWE
  • Flaws that are very likely to be exploited
  • Very severe flaws
  • New flaws
  • Flaws involving a particular function
  • Flaws with pending, approved, or rejected mitigations
  • Flaws with a particular effort to fix
  • Any combination of the above

You can search for any of these criteria using the Search field at the top of the list of flaws. To search for a particular item:

  1. Choose the column you want to search on from the Search drop-down list.
  2. Enter your search criteria in the text box, or select the appropriate criterion from the drop-down list.
  3. Type Enter or click the Go button. The list of flaws is filtered by the search criterion entered, and the search criterion entered is shown above the Flaw Viewer toolbar.

You can see how many flaws were returned by your search by looking at the flaw count to the left of the list of filter criteria.

Search by multiple criteria

If you wish to use multiple search criteria (e.g. finding all cross site scripting flaws in a given module), search by the first criterion, then enter the second criterion. Both search criteria will be displayed above the Search field in the list of search criteria.

If you add more than three search criteria, you can click the More link to view the full list of search criteria.

Use wildcards

Filter types that take a string input (e.g., source file name, category, etc.) can use a wildcard. Entering a search string containing an asterisk (*) will look for items that contain one or more characters in place of that asterisk.

For example, searching for categories marked *debug* will return flaws in the category "Leftover Debug Code."

Use negative criteria

You can specify a filter using a negative criterion (i.e., is not equal to). Negative criteria can be used to exclude a set of flaws from display, such as hiding all informational flaws (Severity=0).

To use a negative criterion, do the following:

  1. Choose the column by which you want to search from the Search drop-down list.
  2. Click once on the = button next to the list. This toggles the button to the Not Equals (!=) state.
  3. Enter your search criterion in the text box, or select the appropriate criterion from the drop-down list.
  4. Type Enter or click the Go button. The list of flaws is filtered by the search criterion entered, and the search criterion entered is shown above the Flaw Viewer toolbar.

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability's repository (required):

View static results for an application

To access static results, go to the flaw viewer by clicking the Review link from the Applications list, then click the Triage Flaws link in the left navigation menu for the application. Then click on the Static Results link at the top of the page if it is not already selected.

The grid at the bottom of the page is sortable and can be used to select a particular flaw. The grid shows the flaw ID, severity, exploitability, parameter, CWE, location, status, and mitigation status. Clicking on a specific finding causes the flaw viewer to prompt you load your local copy of the source code into the source code viewer at the top of the page.

View dynamic results for an application

To access dynamic results, go to the flaw viewer by clicking the View link from the Applications list, then click the Triage Flaws link in the left navigation menu for the application. Then click on the Dynamic Results link at the top of the page if it is not already selected.

As with static scan results, the grid at the bottom of the page is sortable and can be used to select a particular flaw. The grid shows the flaw ID, severity, parameter, CWE, URL, status, and mitigation status. Clicking on a specific finding displays additional details in the top half of the page.

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

Our documentation does not currently include a master index.

Type-Specific Capability Questions

Tool Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.3.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

Veracode’s CWE coverage map can be found on our public-facing corporate website at http://www.veracode.com/directory/CWE-SANS-TOP-25.html. This information is also available to customers via the Help Center on the Veracode platform.

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

Refer to Question 8 for details on how to find CWE identifiers using the Triage Flaws interface of the Veracode platform. This is a developer-centric interface used to drill down into the details of individual flaws.

In the HTML and PDF reports, the Findings and Recommendations are grouped first by severity (Very High to Very Low) and then by CWE identifier within each severity level. For each CWE identifier, the report contains a table of all flaw occurrences with that CWE identifier. A brief description for the CWE category is provided, along with a hyperlink to that category’s page on cwe.mitre.org.

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

Veracode’s CWE coverage map can be found on our public-facing corporate website at http://www.veracode.com/directory/CWE-SANS-TOP-25.html. This information is also available to customers via the Help Center on the Veracode platform.

We claim that the service is effective at locating all CWE categories listed. Veracode scans undergo rigorous testing to minimize False Positives and False Negatives before introducing them into production.

This list reflects the CWEs that Veracode tests for using automated static and dynamic scanning. The Veracode platform may report flaws in other CWEs if the results of a manual penetration test are included alongside the scan results. Where a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case (e.g., CWE 80 is preferred for cross-site scripting over its child CWEs). This list is updated frequently.

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.3.4>

Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the service is effective at locating in software (recommended):

Veracode does not currently provide a CCR document.

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.3.6>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):

The Veracode service does not provide direct access to any other products.

Media Questions

ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):

Reports are available in HTML, PDF, and XML formats. Reports available include a Summary Report, Detailed Report, or PCI Report, all of which contain CWE mappings for all flaws. Flaw data, including CWE mappings, can also be retrieved via the Veracode Results API. All programs typically used to view these data formats have built-in search capabilities.

ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):

CWE identifiers are always displayed prominently whenever short names are used.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CWE identifier(s) (recommended):

A sample Veracode PDF report can be found on our public-facing corporate website at http://www.veracode.com/solutions/get-a-report.html.

Graphical User Interface (GUI) Questions

FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CWE identifier(s) (required):

In the Veracode platform, flaw listings can be sorted and filtered by CWE category. Veracode Analytics allows users to query their application inventory for the prevalence of specific CWE categories. Refer to Question 7 for more details on using CWE identifiers to find individual security elements.

GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability's elements, also describe the format of the mapping (required):

Every flaw is associated with a CWE category in the GUI. Hyperlinks to the CWE category on mitre.org are provided alongside the flaw description. Refer to Question 8 for more details on how to find CWE identifiers using the Triage Flaws interface of the Veracode platform.

GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):

Reports are available in HTML, PDF, and XML formats. Reports available include a Summary Report, Detailed Report, or PCI Report, all of which contain CWE mappings for all flaws. Flaw data, including CWE mappings, can also be retrieved via the Veracode Results API.

Questions for Signature

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

See answer to <CR_A.2.1> above.

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Chris Eng

Title: Vice President, Research

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Chris Eng

Title: Vice President, Research

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Chris Eng

Title: Vice President, Research

Page Last Updated: [an error occurred while processing this directive]