Automated Source Code Data Protection Measure

Objective

CISQ has a Working Group that created an Automated Source Code Data Protection Measure based on a collection of relevant CWEs (software weaknesses, see https://cwe.mitre.org/data/definitions/1340.html) that can be used to support enterprise and supply chain needs in protecting data, confidential information, IP, and privacy. 

In the specification, the team included CWEs associated with enabling data leakage – those that have CWSS technical impacts that enable unauthorized access to read/modify data. 

This new standard will be highly relevant to General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), as well as Cybersecurity Maturity Model Certification (CMMC) (for CUI protection), so we are spotlighting the relevance of CWE for enterprises seeking to comply with regulatory guidance associated with data protection and privacy. Many organizations will be undergoing process assessments associated with CMMC, GDPR, CCPA, ISO 27001, NIST SP 800-53 r5, NIST SP 800-171, etc. Scanning code that will run or is running in enterprises (on systems and devices that process or transmit data) would determine if the systems or devices enable data leakage. If so, then such a scan would reveal if the data protection/privacy controls associated with the process assessment were inadequately implemented.

Use cases could be developed for Software Development, Acceptance Testing of Third-Party Software, and Audit/IV&V. 

As follow-on effort, CISQ seeks to get this aligned with ISO/IEC 25000 series (25010 software product quality characteristics) to specify Data Protection as a sub-characteristic of Security.

Timetable

This project began in May 2020 and the team submitted a specification to Object Management Group (OMG) in December 2020. We anticipate the measure will become an OMG standard in early 2021.

Participants