LDRA Implements Homeland Security's Secure Programming Guidelines

The CWE project aims to better understand flaws in software and to create automated tools that can be used to identify, fix and prevent those flaws. CWE Compatibility confirms that the LDRA tool suite can identify common programming errors contributing to software containing potentially exploitable vulnerabilities.



The CWE project is an international community-developed formal list of common software weaknesses. CWE is a software assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. The CWE effort aims to help shape and mature the code security assessment industry and to dramatically accelerate the use and utility of software assurance capabilities for organisations in reviewing the software systems they acquire or develop.



According to research directed by the National Institute of Security Technology, 64% of software vulnerabilities stem from programming errors. To help identify core weaknesses contributing to software vulnerabilities, MITRE Corporation, a public interest not-for-profit organisation, created the CWE list. MITRE manages several federally funded research and development centres, including one for the Department of Homeland Security which is mandated with developing the CWE project. CWE was created to address the concerns of organisations that want assurance that the software products they acquire and develop are free from known types of programming errors.



CWE Compatibility recognises the ability of LDRA’s static and dynamic analysis tools, LDRA Testbed and TBvision, to assist companies in finding security flaws and weaknesses in code, aiding the development of secure software applications. LDRA achieved CWE Compatibility by accurately mapping the LDRA tool suite to the coding rules of CWE so that the LDRA tool suite can identify, reference and document weaknesses within the code.



“In today’s world, the infrastructure of our everyday life hinges on software that is Internet-connected,” acknowledged Ian Hennell, LDRA’s Operations Director. “In such a world, the importance of securing software from any vulnerabilities and weaknesses ensures the safety of our basic infrastructure, whether communications, power distribution grids, medical information and services, traffic management system, airport traffic control, or financial information. LDRA is committed to identifying the typical programming errors that make software applications vulnerable to external attack and exploitation.”



CWE establishes a list of software weaknesses that provides effective discussion, description, selection of the weaknesses as well as the use of software security tools and services that can find these weaknesses in source code and operational systems. CWE also seeks to better understand and manage software weaknesses at the architecture and design levels. LDRA has integrated the coding competencies that contribute to secure programming into the LDRA tool suite.