Software Vulnerabilities and Weaknesses

Software Vulnerabilities and Weaknesses

Software Vulnerabilities and Weaknesses

By Cloud & DevOps Tech Group

One of the critical factors around which the world of software security revolves is the study and control of vulnerabilities. There are organizations responsible for dealing with issues related to this aspect, such as MITRE, FIRST and ICASI.

Mitre Corporation is a non-profit organization with funding from the National Cyber Security Division of the United States Department of Homeland Security.
Through The National Cybersecurity FFRDC, it is responsible for recording and making official all data relating to known vulnerabilities, weaknesses, and attacks in the security world. All this information is public and can be freely consulted.

What is CVE?

CVE stands for Common Vulnerabilities and Exposures. It refers to a specific instance of a vulnerability within a product or system. CVE is a list of publicly known information security vulnerabilities. It is perhaps the most widely used standard. It allows each vulnerability to be identified, assigning each one unique identification code.

For instance, CVE-2017-5715 and CVE-2014-6271 respectively refer to the well known vulnerabilities Spectre and to Shellshock.

What is CWE?

CWE stands for Common Weakness Enumeration. CWE refers to the types of software weaknesses, rather than specific instances of vulnerabilities within products or systems. It can be seen as a catalog of documented weaknesses that are often committed by programming, and which could lead to vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and creating automated tools that can be used to identify, fix, and prevent those flaws.

For instance, CWE-77 and CWE-89 refer to injection weaknesses and CWE-326 to weak encryption practices.

We integrate vulnerabilities and weaknesses checks into our build pipelines. On one side, static code analysis is included (typically with Sonarqube) to keep track of CWEs on our code. On the other side, third-party dependencies are analyzed (for instance using npm-audit, maven dependency plugin and python safety) to be aware of any known CVE and CWE on them.

Take a look into our Technology Groups and how we can help you to get a secure software.