Veracode is a participating organization in the CWE community effort and was the first application security vendor to implement MITRE’s CWE as a standard identifier. CWE is now becoming broadly adopted across the application security space by many other vendors and security practitioners. Each identified flaw is associated with a CWE ID and a severity weight based on the confidentiality, integrity, and availability impacts for that flaw as defined by the Common Vulnerability Scoring System (CVSS). See MITRE’s compatibility section to compare Veracode’s support of CWE versus other vendors.

CVSS is utilized by the National Vulnerability Database and by major software companies such as Cisco and Oracle to prioritize their security remediation and establish compliance initiatives such as PCI. Version 2.0 of CVSS was released by FIRST in June 2007. Gartner believes that CVSS should be incorporated by IT vendors for vulnerability and patch reporting and has stated that “CVSS is a powerful approach for businesses to standardize the impact assessment and prioritization of IT vulnerabilities.”

Software security metrics for business and government require the context of an assurance level. Veracode uses the definitions of assurance levels that are defined in the OMB document M-04-04. This assurance definition takes into account the organization impacts to: damage to reputation, financial loss or liability, harm to operations, unauthorized information disclosure, personal safety, and civil or criminal violations. Veracode participates in the NIST Software Assurance Metrics and Tools Evaluation (SAMATE) Project. Our static analysis supports the requirements of the NIST Source Code Security Analysis Tool Functional Specification Version 1.0.