SD Elements leverages the results from security tools to automatically mark the verification status of its security requirements. This capability is due to requirement weakness mappings developed and maintained internally, in collaboration with product vendors.
The Common Weakness Enumeration (CWE) is the generally accepted way of describing software weaknesses. Wherever possible, SD Elements generates mappings by associating one or more CWE identifiers with an SD Elements requirement.
For example, if the product provides CWE information and identifies CWE-89 and CWE-564 for SQL Injection weaknesses, our mapping would look like:
|T38: Bind variables in SQL statements||CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)|
|CWE-564 SQL Injection: Hibernate|
|T282: Bind variables in SQL statements for client applications||CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)|
|CWE-564 SQL Injection: Hibernate|
T38 and T282 are each mapped to CWE-89 and CWE-564. If a scanning tool result file references CWE-89 or CWE-564, SD Elements will mark the verification status of T38 or T282 (depending on the project type, client or server) to Fail.
Each mapping is attributed a confidence level. The value influences whether the verification status of a requirement is marked Pass (high confidence) or Partial Pass (low confidence) in the event that no mapped weaknesses were found by a scanning tool.
The confidence level captures the general capability of a scanning tool to identify the weaknesses associated with the requirement. There are two possible values: low and high.
A mapping having a confidence level of "high" means: assuming the scanning tool supports the application's technology stack (e.g. language and framework), then it is normally very effective at finding the problems associated with the SD Elements requirement.
A mapping having a confidence level of "low" means: the scanning tool can normally detect some instances of the requirement's underlying problem, but not all, for a number of possible reasons.
Every security tool tracks weaknesses differently: CWE is not handled or communicated with uniformly by all security scanner products. For this reason, SD Elements maintains a separate, explicit mapping for each supported tool.
Some scanning tool mappings are not based on CWE but rather the "checks" or "weakness categories" that the product performs or communicates. This technique was conceived during discussions with certain tool vendors as it yields a more accurate mapping.
Checks for vulnerable software
Some scanning tools search for known vulnerabilities in software. For these specific checks, SD Elements maps any results from the tool to "T186: Verify that third party libraries do not have any outstanding security patches".
Mappings undergo the following process:
1. We start by reviewing the full library of weaknesses that the scanning tool identifies and use a base CWE mapping to come up with an initial map.
2. Our content research experts, having audit and scanning background, manually go over each item and adjust the mapping as they see fit.
3. Finally, we contact the scanning vendor to solicit their feedback on the mapping and the confidence levels, and adjust based on the full review by the vendor.
On-going mapping updates
On a periodic basis, SD Elements updates it mapping files to correspond with changes to its requirement database and any updates by product vendors.