Software Security Standard

Coding Rules for Secure Software

There are 74 critical coding and architecture weaknesses to avoid in source code because of their impact on the security of an application. The standard is a good predictor of how easily an application can suffer unauthorized penetration that results in stolen information, altered records, or other forms of malicious behavior. For those familiar with the Common Weakness Enumeration (CWE), a repository of known software weaknesses managed by The MITRE Corporation, and a reference point for developers and tools, the Security standard includes 36 parent weaknesses and 38 child weaknesses ("children") that map back to the CWE and have CWE identifiers.

Security assesses the degree to which an application protects information and data so that persons or other products or systems have the degree of data access appropriate to their types and levels of authorization. Security measures the risk of potential security breaches due to poor coding and architectural practices.

To follow the standard guidelines, your source code should NOT contain these 74 critical weaknesses known to severely impact security. Detection of these weaknesses can be automated on source code through static analysis.

Who Developed the Software Security Standard?

The project team was led by Dr. Bill Curtis, CISQ Founding Executive Director and Chief Scientist at CAST Research Labs. The team consisted of delegates from CISQ sponsor organizations Accenture, Atos, Booz Allen Hamilton, CAST, CGI, Cognizant, ISHPI, Northrop Grumman, Synopsys, Tech Mahindra, and Wipro in addition to experts from the Software Engineering Institute at Carnegie Mellon University and the Common Weakness Enumeration project at The MITRE Corporation.

Who is Using the Software Security Standard?

The standard is used by government and industry organizations to measure software quality, including the U.S. Department of State, U.S. General Services Administration, U.S. Army, U.S. Air Force, Northrop Grumman, CGI, Cognizant, Tech Mahindra, Manulife, Telefonica, BNY Mellon, and others. The standard is freely available to use, reference, and download.

Which Tools Support the Code Quality Standards?

The code quality standards from CISQ are comprised of software weaknesses (CWEs) that can be detected in source code through static code analysis. CAST and Synopsys (tool vendors) contributed to development of the standards and support the standards in their tools. Most static analysis tools identify some, if not all, critical CWEs. Ask tool vendors about support for measuring CWEs and the CISQ standards for Reliability, Security, Performance Efficiency, and Maintainability.

Are you a tool vendor that supports CWEs and code quality standards? To be listed for reference, contact us.