News

Parasoft Addresses CWE Software Weaknesses

• By John K. Waters
• November 20, 2019

Software testing tools maker Parasoft announced this week that the latest versions of its Jtest, dotTEST, and C/C++ solutions provide coverage of critical vulnerabilities laid out in the newly updated 2019 Common Weakness Enumeration (CWE) list. These releases address both the CWE Top 25 and "On the Cusp" (an additional 15 weaknesses) for the Java, C/C++, and .NET languages.

The CWE (Common Weakness Enumeration) is a formal list of more than 800 programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. The CWE is a community project sponsored by the National Cybersecurity FFRDC (federally funded research and development centers), which is operated by the not-for-profit Mitre Corporation. The list was previously updated in 2011.

All of Parasoft's static analysis tools are certified by Mitre as CWE-compatible. The company's certified CWE-compliant packs for C/C++, Java, and .NET provide pre-configured, out-of-the-box, and fully customizable test configurations and reporting for the CWE Top 25 and CWE CUSP security standards.

The tools are designed to make it easy for teams to understand which static analysis checker is associated with which CWE item during configuration, remediation, and reporting. With Parasoft's CWE-centric model, all the checkers are named based on the associated CWE ID, removing the need for mapping when configuring, reporting, and remediating issues.

The CWE compliance reports provide an ongoing, continuous view of CWE compliance status, with interactive dashboards, widgets, and reports that provide insight into CWE risk and technical impact associated with the code.

Arthur Hicken, security expert at Parasoft, describes the company's approach as CWE-centric.

"We actually looked at the new CWE top 25 and we made sure we have one or more checkers for every single item on that list," Hicken told ADTmag. "This is incredibly abnormal, since most vendors cover maybe 13 or 14. But this is supposed to be a starting place, not a comprehensive solution. We've even gone beyond it with what I like to call 'the honorable mentions'—the 'On the Cusp' list, which is the next 15."

Both the Top 25 and "On the Cusp" items are also an integral part of UL 2900 (Software Cybersecurity for Network-Connectable Products) compliance, which is recognized by the FDA for network-connected medical device cybersecurity.

This release of Jtest includes support for JUnit 5, the latest version of the popular Java testing framework. The new architecture introduced in JUnit 5 included several features, such as lambda support for assertions and the ability to select and filter test suites defined in separate classes, that are all supported in Parasoft Jtest.  

JUnit 5 is also backwards compatible with JUnit 4, so existing JUnit 4 tests can be integrated into the JUnit 5 framework and users can continue using Jtest functionality, such as automatic unit test creation and advanced mocking, to create and maintain new and existing tests. Parasoft Jtest's unit testing features, such as automatic test creation, quick-fix actions, and the ability to clone and mutate tests to extend coverage, are all supported for JUnit 5 and 4.