GrammaTech, Inc., a leading provider of source-code analysis tools, declared that CodeSonar Enterprise is the first static-analysis tool that is compatible with all aspects of MITRE’s Common Weakness Enumeration (CWE) standard. CodeSonar has now entered CWE’s Evaluation Phase, after which CWE compatibility will become official.
CWE, developed by the MITRE Corporation under the sponsorship of the National Cyber Security Division of the Department of Homeland Security, provides a standard language for describing software security weaknesses. Standard terminology makes it easier for organizations to identify, understand and eliminate the myriad of security weaknesses that can occur in software.
“Leveraging efforts on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop,” said Robert Martin, CWE project leader.
“GrammaTech’s CodeSonar is a static analysis tool for identifying programming flaws and security vulnerabilities in code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort and proud to be the first vendor to offer a static-analysis tool that is compatible in all aspects,” said Paul Anderson, VP of Engineering at GrammaTech.
Software acquirers want assurance that the software products they are obtaining are reviewed for known types of security flaws, and the acquisition groups in large government and private organizations are moving forward to use these types of reviews as part of future contracts. However, the tools and services that can be used for this type of review are new at best and there is no nomenclature, taxonomies, or standards to define the capabilities and coverage of these tools and services. This makes it difficult to comparatively decide which tool/service is best suited for a particular job. What is needed is a standard list and classification of software security weaknesses to serve as a unifying language of discourse and a measuring stick for tools and services. CWE was created specifically to address these problems.
More information: Common Weakness Enumeration (CWE) standard
GrammaTech’s static-analysis tools are used worldwide by startups, Fortune 500 companies, educational institutions, and government agencies. The staff includes ten researchers with PhDs in programming languages and program analysis. The company has offices in Ithaca, New York, and San Jose, California.