Common Weakness Enumeration

CWE Glossary Definition

Name of Your Organization:

WebLayers, Inc.

Web Site:

http://www.weblayers.com/

Compatible Capability:

WebLayers Security Policy Library

Capability home page:

http://www.weblayers.com/products-and-services/weblayers-policy-libraries/

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

WebLayers Policy Libraries are licensed components of the enterprise governance system. Upon purchase, the complete content of the policy libraries is available in the WebLayers Center platform and contains expanded material that covers policy explanation, risks/benefits, and conformance business impact.

Map Currency Indication <CR_6.1>

Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):

To view the Details information for the Java Security Library, the licensed users would select the desired library in the Navigator.

Navigate through and select the library.

The Library Details tab displays the following information from top to bottom:

General

Name

Id

Description

Any applied classifier filters and classifier filter types.

In the description is where user can see the most recent CWE content used to create or update the CWE mappings.

Upon a new release, the description will indicate any or all of the changes to the mappings.

Under each of the CWE Identifiers, policies are codified from the various topics from CERT Secure Coding for Java. Users can click on the different identifiers and view the policy rules for each identifier.

Upon a new release, if there are changes, the policies implementation will change also, or additional policies added.

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

WebLayers has a biannual product release schedule and with each product release WebLayers will update its CWE Security Policy Library.

MAP CURRENCY UPDATE TIME <CR_6.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):

Customers who are licensed for the WebLayers Center have access to obtain the latest version of the CWE Security Policy Library.

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

Website and Product Data Sheet

The description of the Java Security policy can be found on the WebLayer’s website at the following link: http://www.weblayers.com/products-and-services/weblayers-policy-libraries/

Select the Security Policies Tab on lower-right-hand side.

The description of the Java Security policy can also be found and the following product sheet, also listed on the website: http://www.weblayers.com/resources/product-sheets/

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):

Using the search feature of the Java Security Library, user can find documentation that describes the specific details on each of the CWE identifiers and their associated security elements within the Java Security Library.

Searching Policies: Basic Search

When you search policies, all domains in the WebLayers Center implementation are searched; only policies to which you have read-access are returned.

The following fields are searched in basic search:

• Explanation
• Name
• Subject
• Description
• Source

To perform a basic policy search:

1. Select the Search Results tab.
2. Enter the query text and then click the Search button.

See example below:

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):

Using the Search Feature listed above in item number 7, users can search using the CWE Identifiers associated with individual security elements.

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

The description of the Java Security policy can be found on the WebLayer’s website at the following link: http://www.weblayers.com/products-and-services/weblayers-policy-libraries/

Select the Security Policies Tab on lower right hand side.

Licensed users can view the Details for the Java Security library by selecting the library in the Navigator.

In the Library Details tab the Policies will list all of the CWE Identifiers for the Java Security Library.

See example below:

Type-Specific Capability Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

WebLayers allows user to explicitly test individual or a group of artifacts against the Java Security Library. Artifacts such as java source code will be scanned against the CWE identified security policies and the results are available for review in the Conformance Center.

To analyze or test an artifact using Web Analyzer:

1. Click Web Analyzer button:

   The Web Analyzer dialog is displayed.

2. As a Source, select File System and Browse to or enter the path to the file.
3. Click the Select Domain button and then select the test Domain. (In this case, select the Java Security Library.)
4. (Optional) Click the Select Project and then select the Project.

   If you select a project associated with a Stage, the Stage option becomes unavailable.

6. Select a Stage.
7. Select a Grant Artifact Read Privilege to option, and then click the Analyze button.
8. If required by the Upload Referenced Artifact dialog, click the Analyze button.

   The test begins; a message is displayed when it is complete.

9. To review the results, click the View Details button to open the Conformance Center.

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

The Dashboard is the center for compliance reporting for WebLayers Center. The Dashboard enables WebLayers Center users throughout the enterprise — managers, project leaders, architects, compliance analysts, and others — to view and evaluate the current state of compliance and the quality of governance at the enterprise, organization, and project level.

The goal of the Dashboard information is to provide immediate visibility into the projects, organizations, and artifacts that have the greatest compliance rates. Additionally, you will be able to see which policy domains best enforce compliance, and which artifacts are causing compliance failures.

As a Dashboard user you can filter reports for display and content, and then save the result as a new report and make it available to other users.

Reports focus on the results of artifact testing. They report test results that can be filtered to create "Save as" reports that can focus on results that are of focus on a particular type of result or date range.

The base reports are:

• Artifacts
• Exemption Requests
• Policies
• Summary Impact Chart
• Summary Impact Graph
• Summary Project Compliance chart
• Summary of Latest Findings by Project

Four of the base reports: Artifacts, Policies, the Summary Impact Chart and the Summary Impact Graph are combined to create the Governance Overview Dashboard.

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

FINDING ONLINE CAPABILITY TASKS USING CWE IDENTIFIERS <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):

Using the search feature of the Java Security Library, user can find documentation that describes the specific details on each of the CWE identifiers and their associated security elements within the Java Security Library.

Searching Policies: Basic Search

When you search policies, all domains in the WebLayers Center implementation are searched; only policies to which you have read-access are returned.

The following fields are searched in basic search:

• Explanation
• Name
• Subject
• Description
• Source

To perform a basic policy search:

1. Select the Search Results tab.
2. Enter the query text and then click the Search button.

FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):

WebLayers Center utilizes a search engine technology that provides a method of searching for policies and assertions in your WebLayers Center deployment. When you search policies, all domains in the WebLayers Center implementation are searched; only policies to which you have read-access are returned. Only the Name and Description are searched.

To perform a basic policy or assertion search:

1. Select the Search Results tab.
2. Enter the query text and then click the Search button.

A list of matching policies, in order of relevance, is returned in the Search Results tab.

Use the hyperlinks provided to navigate to open a window with the full policy information.

In the case for the CWE Identifiers, the user would enter in the CWE Identifier they are interested in, in the query text and then click the Search button.

GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):

The following link details the Java Security Library with the CWE Identifiers: http://www.weblayers.com/products-and-services/weblayers-policy-libraries/

Select the Security Policy tab.

The library is a combination of the CWE identifiers and the related topics from CERT Secure Coding for Java. The library codifies the specific topics thereby allows a user to analyze java source code and verify whether or not the code violates any of the policies set by the related CWE Identifiers and CERT Secure Coding standards for Java.

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Byron K. Thomas

Title: Technical Policy Author

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Byron K. Thomas

Title: Technical Policy Author

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Byron K. Thomas

Title: Technical Policy Author