What is CERT and CWE?
As well as the Xcalibyte Ruleset, Xcalscan incorporates rules from SEI CERT coding standards which are mapped to CWE. By using global coding standards developed by communities of researchers, software engineers and security analysts, Xcalscan applies extra intelligence to identify security vulnerabilities in software products.
Xcalscan supports many CERT C, CERT C++ and CERT J coding standards. For CERT C and CERT Java, we support 90% of level 1 and level 2 rules.
SEI CERT C
SEI CERT C++
SEI CERT Oracle Coding Standard for Java
CERT SECURE CODING STANDARDS
CERT is a division of Carnegie Mellon University's Software Engineering Institute (SEI), which has developed secure coding standards for the most commonly used programming languages such as C, C++, and Java. Through a broad global coalition of global software development and security communities, CERT standards provide universal secure guidance for avoiding coding and implementation errors. Coding standards are essential to the development of secure software as they ensure programmers follow a uniform international set of rules and guidelines, rather than rely on a programmer’s individual preferences.
COMMON WEAKNESS ENUMERATION
The Common Weakness Enumeration (CWE) is a set of uniform software weaknesses that allows a universal description, discussion and selection of security tools and services that can find specified weaknesses in source code and operational systems. CWE affords a better understanding and management of architecture and design weaknesses as well as low-level coding and design errors.
The Relationship Between CERT and CWE
CWE and CERT operate separately but support each other. While CWE is a comprehensive record of known weaknesses, CERT tries to characterize the logic behind known weaknesses in relationship to data and program flow. How hidden assumptions between said data and the underlying application logic may lead to vulnerable points being exposed to external attack.
CWE contains a vast array identified weaknesses but not all of them will apply to a particular coding standard because each language presents its own set of vulnerabilities and CWE also includes high-level design issues.
CERT does not map every secure coding guideline to the CWE weaknesses because some coding errors can present themselves in ways that do not correlate directly to any given weakness. Both tools are vital in assessing software security and safety.
It is important to understand that CERT, CWE as well as other knowledge sources including OWASP, are constantly being updated and reflect current thinking based on the communities that contribute to them. As software advances, more knowledge is accumulated, and new vulnerabilities emerge.