Verification mappings

SD Elements leverages the results of verification tools to automatically mark the verification status of its security requirements. This capability is the result of requirement-weakness mappings developed and maintained internally, and in collaboration with industry best practices and product vendors.

A verification mapping is a relation between a security weakness or check, and one or more SD Elements task. Each mapping is assigned a confidence level so that an appropriate verification status is assigned to each affected task.

Confidence levels

Verification mappings are attributed with a confidence level. This value captures the general capability of the tool to identify the weaknesses associated with the requirements. There are two possible values: Low and High.

Tasks corresponding to a weakness that are not identified by a verification tool in a scanning session are marked with a verification status of Pass (High confidence mapping) or Partial Pass (Low confidence mapping).

High confidence mapping:

A mapping with a confidence level of "high": assuming the verification tool supports the application’s technology stack (such as language and framework), then it is normally very effective at finding the problems associated with the SD Elements requirement.

Low confidence mapping:

A mapping with a confidence level of "low": The verification tool can normally detect some instances of the requirement’s underlying problem, but not all, for a number of possible reasons.

CWE-based mappings

Common Weakness Enumeration (CWE) is the generally accepted way of describing software weaknesses. Wherever possible, SD Elements generates mappings by associating one or more CWE identifiers with an SD Elements requirement.

Example:

Consider a verification tool that provides CWE information and two of its supported CWE identifiers are CWE-89 and CWE-564. Both identifiers cover SQL Injection weaknesses. In this example the mapping would be:

Task CWE

T38: Bind variables in SQL statements

CWE-89 Improper neutralization of special elements used in an SQL command (SQL Injection)

T38: Bind variables in SQL statements

CWE-564 SQL Injection: Hibernate

T282: Bind variables in SQL statements for client applications

CWE-89 Improper neutralization of special elements used in an SQL command (SQL Injection)

T282: Bind variables in SQL statements for client applications

CWE-564 SQL Injection: Hibernate

T38 and T282 are each mapped to CWE-89 and CWE-564. If a verification tool’s result file references CWE-89 or CWE-564, SD Elements will mark the verification status of T38 or T282 to Fail (depending on the project type, client or server).

Tool-specific mappings

Every verification tool tracks weaknesses differently: CWE is not supported or communicated uniformly by all security scanner products. For this reason, SD Elements maintains a separate, explicit mapping for each supported tool.

Some verification tool mappings are not based on CWE, but rather the "checks" or "weakness categories" that the product performs or communicates. This technique was conceived during discussions with certain tool vendors as it yields a more accurate mapping.

Scanning checks for vulnerable software

Some verification tools search for known vulnerabilities in software. For these specific checks, SD Elements maps any such results from the tool to T186: Verify that third party libraries do not have any outstanding security patches.

Mapping process

Mappings undergo the following process:

  1. We start by reviewing the full library of weaknesses that the verification tool identifies and use a base CWE mapping to come up with an initial map.

  2. Our content research experts, having audit and scanning background, manually go over each item and adjust the mapping as they see fit.

  3. Finally, we contact the scanning vendor to solicit their feedback on the mapping and the confidence levels, and adjust based on the full review by the vendor.

On-going mapping updates

On a periodic basis, SD Elements updates its mapping files to correspond with changes to its requirement database and any updates by product vendors.

results matching ""

    No results matching ""