CISQ developed a specification for an Automated Source Code Data Protection Measure that has been approved and published as an OMG standard available at https://www.omg.org/spec/ASCDPM. This measure is based on a collection of relevant weaknesses from the Common Weakness Enumeration Repository that support enterprise and supply chain requirements for protecting data, confidential information, intellectual property, and privacy. The measure includes CWEs that enable data leakage – i.e., unauthorized access to read or modify data.
This new standard is relevant to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other cybersecurity regulations. Many organizations will undergo compliance assessments for GDPR, CCPA, ISO 27001, NIST SP 800-53 r5, NIST SP 800-171, and other standards and regulations. Analyzing source code running on systems and devices that process or transmit data provides one indicator of the extent to which they are susceptible to data leakage. Detecting these weaknesses in the code reveals that required data protection/privacy controls were incorrectly implemented or can be circumvented. Use cases include development testing, acceptance testing of third-party software, compliance audits, and independent verification and validation (IV&V).