CWE (Common Weakness Enumeration) is a comprehensive list of over 800 programming errors, design errors, and architecture errors that may lead to exploitable vulnerabilities — more than just the Top 25. The CWE/SANS Top 25 Most Dangerous Software Errors is a shortened list of the most widespread and critical errors that may lead to serious vulnerabilities in software, that are often easy to find and exploit. These are the most dangerous weaknesses because they enable attackers to completely take over the software, steal software data and information, or prevent the software from working at all.
Parasoft is certified as CWE Compatible, which means that Parasoft users can easily understand which static analysis checker is associated with which CWE during configuration, remediation, and reporting. Because of Parasoft’s CWE-centric approach, you don’t actually have to do anything special — just fix the violations and automatically generate what you need for compliance. Parasoft has also assisted prioritization (triage) and audit (suppress) activities by incorporating the CWE technical impact into the analytics hub.
As shown to the right, Parasoft’s unique real time feedback gives users a continuous view of compliance with the CWE, by providing interactive compliance dashboards, widgets, and reports that have the CWE risk assessment framework implemented right within the dashboard itself.
Parasoft users can leverage Parasoft’s static code analysis products for C/C++, Java, and .NET to reduce the cost of achieving CWE compliance and save time and effort.
Parasoft supports CWE guidelines with dedicated code analysis configurations that map to best practices outlined in the standard. Parasoft supports Mitre’s Common Weakness Enumeration (CWE) for C, C++, Java, and .NET languages — the linked PDFs show how Parasoft’s static analysis rules map to the CWE:
Parasoft’s policy-driven approach defines the organization’s expectations around quality while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability.
Parasoft’s out-of-the-box CWE mappings mean that users don’t have to waste time trying to figure out what checkers are for which CWEs when configuring, and when fixing, users will always inherently know which CWE is being worked on because the static analysis checker names tell you.
For auditing and reports, Parasoft shows exactly which rules are covered by each checker, including a full set of PDF files showing compliance plan and deviation reports — but you almost don’t need the compliance plan, because the names are the same as CWE.
Secure application development involves more than static analysis. Truly secure application development requires that testing involve a mixture of test and analysis methods applied throughout the SDLC, and also that a broad set of software lifecycle management and vulnerability/risk management activities be integrated across the process to ensure the delivery of secure and reliable software.
Parasoft addresses both of these expectations with its Application Security solution. This integrated product extends Parasoft’s static analysis capabilities, providing a preconfigured system with processes and best practices that help organizations produce secure applications consistently and efficiently.
Unlike other static analysis vendors, Parasoft provides out-of-the-box policy/test configurations that are fully configurable and can be executed from within the IDE and via the CI/CD process to help quickly locate vulnerabilities earlier in the software development process.
Parasoft provides a new and unique view of compliance status by providing an interactive compliance dashboard page, widgets, and reports that have the PCI DSS risk assessment framework implemented right within the dashboard itself.
Parasoft’s data-driven reporting system helps you easily identify the most important issues and information out of the pool of possible problems you have, while enabling you to input from any Parasoft tools automatically as well as a host of other tools (both commercial and open source). It also has open REST APIs for both input and output, so you can easily integrate it into your build and development systems, as well as software accounting systems of record for auditing.