Finding and patching vulnerabilities after the software is in production is both costly and leaves the company vulnerable to cyberattacks. To build defenses from the moment the code is written, software engineers use the CWE (Common Weakness Enumeration) catalog as a guide to secure programming.
How Do Programmers Use CWE to Secure Code?
CWE creates a common language between programmers and security teams. It can be used at different stages of software development in the following ways:
In the Planning and Design Phase: Before starting to write code, architects review the "CWE Top 25" (World's 25 Most Dangerous Code Errors) list. For example, if the project has a user registration system, the team reviews the CWE-20 (Invalid Input Validation) rules in advance and sets the code standards accordingly.
During the Coding Phase (Live Guide): Each error in the CWE database has a special section for programmers. This includes a "Error Code Example" in the language (C, C++, Java, Python, Go) of the error and a "Correct / Safe Code Example" immediately before it. Programmers can look at these examples while writing the function and avoid errors.
During the Testing Phase (SAST Tools): SAST (Static Application Security Testing) tools that automatically scan the code directly mark the errors they find with CWE codes (for example: Warning: CWE-79 detected). As soon as the programmer receives this warning from the scanner, he switches to the CWE database, understands the root of the error and fixes the code.
During Code Review, Senior programmers do not just say "there is an error here" when reviewing the code of juniors. They direct them to the appropriate CWE link.This turns a simple bug fix into a long-term learning method for the programmer.
Top comments (0)