Verification mappings
SD Elements leverages the results of verification tools to automatically mark the verification status of its security requirements. This capability is the result of requirement-weakness mappings developed and maintained internally, and in collaboration with industry best practices and product vendors.
A verification mapping is a relation between a security weakness or check, and one or more SD Elements task. Each mapping is assigned a confidence level so that an appropriate verification status is assigned to each affected task.
Confidence levels
Verification mappings are attributed with a confidence level. This value captures the general capability of the tool to identify the weaknesses associated with the requirements. There are two possible values: Low and High.
Tasks corresponding to a weakness that are not identified by a verification tool in a scanning session are marked with a verification status of Pass (High confidence mapping) or Partial Pass (Low confidence mapping).
A mapping with a confidence level of "high": assuming the verification tool supports the application’s technology stack (such as language and framework), then it is normally very effective at finding the problems associated with the SD Elements requirement.
A mapping with a confidence level of "low": The verification tool can normally detect some instances of the requirement’s underlying problem, but not all, for a number of possible reasons.
CWE-based mappings
Common Weakness Enumeration (CWE) is the generally accepted way of describing software weaknesses. Wherever possible, SD Elements generates mappings by associating one or more CWE identifiers with an SD Elements requirement.
Consider a verification tool that provides CWE information and two of its supported CWE identifiers are CWE-89 and CWE-564. Both identifiers cover SQL Injection weaknesses. In this example the mapping would be:
| Task | CWE |
|---|---|
T38: Bind variables in SQL statements |
CWE-89 Improper neutralization of special elements used in an SQL command (SQL Injection) |
T38: Bind variables in SQL statements |
CWE-564 SQL Injection: Hibernate |
T282: Bind variables in SQL statements for client applications |
CWE-89 Improper neutralization of special elements used in an SQL command (SQL Injection) |
T282: Bind variables in SQL statements for client applications |
CWE-564 SQL Injection: Hibernate |
T38 and T282 are each mapped to CWE-89 and CWE-564. If a verification tool’s result file references CWE-89 or CWE-564, SD Elements will mark the verification status of T38 or T282 to Fail (depending on the project type, client or server).
Tool-specific mappings
Every verification tool tracks weaknesses differently: CWE is not supported or communicated uniformly by all security scanner products. For this reason, SD Elements maintains a separate, explicit mapping for each supported tool.
Some verification tool mappings are not based on CWE, but rather the "checks" or "weakness categories" that the product performs or communicates. This technique was conceived during discussions with certain tool vendors as it yields a more accurate mapping.
Scanning checks for vulnerable software
Some verification tools search for known vulnerabilities in software. For these specific checks, SD Elements maps any such results from the tool to T186: Verify that third party libraries do not have any outstanding security patches.
Mapping process
Mappings undergo the following process:
-
We start by reviewing the full library of weaknesses that the verification tool identifies and use a base CWE mapping to come up with an initial map.
-
Our content research experts, having audit and scanning background, manually go over each item and adjust the mapping as they see fit.
-
Finally, we contact the scanning vendor to solicit their feedback on the mapping and the confidence levels, and adjust based on the full review by the vendor.
On-going mapping updates
On a periodic basis, SD Elements updates its mapping files to correspond with changes to its requirement database and any updates by product vendors.