Veracode CWE Support
Download the list of CWEs Veracode tests for. This list reflects the CWEs that Veracode tests for using automated static and dynamic scanning. The Veracode platform may report flaws in other CWEs if the results of a manual penetration test are included alongside the scan results. Where a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case (e.g. CWE 80 is preferred for cross-site scripting over its child CWEs). This list is updated frequently.
VERAFIED Security Mark for the CWE/SANS TOP 25
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant errors that can lead to serious software vulnerabilities. The errors on this list occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
Although Veracode SecurityReview detects hundreds of software security flaws, we provide a razor focus on finding the problems that are “worth fixing”. The CWE/SANS Top 25 is a list of flaws so prevalent and severe that no non-web applications should be delivered to customers without some evidence that the software does not contain these errors.
The following table identifies technical flaws found through automated analysis used to achieve the VERAFIED security mark and the additional coverage provided through manual penetration testing to detect business logic and design errors to achieve the VERAFIED HIGH ASSURANCE security mark for the 2010 CWE/SANS Top 25.
Veracode Security Solutions
Security Threat Guides