Skip to main content

CWEs that violate security standards

This section lists the Common Weakness Enumerations (CWEs) found in your application during Veracode Static Analysis or Veracode DAST that violate security standards, including Veracode's security rating for the CWEs.

In your security policies, you can apply the Security Standards rule and select one or more security standards for the applications to which a policy is assigned. To pass policy, applications must not contain the CWEs defined in the selected standards.

Veracode Manual Penetration Testing scans might report any valid CWE, including those not listed here.

Veracode identifies the CWEs in the following ways:

  • Reporting CWEs explicitly listed in the official CWE mappings for the security standard.
  • Reporting CWEs that are children or parents of a CWE listed in the official CWE mappings. Veracode generally includes these CWEs if it reports a security category under a more specific or more general CWE than what appears in the standard mapping. For example, Veracode usually reports cross-site scripting found in Static Analyses as CWE 80, but a standard mapping lists it as CWE 79.

What is OWASP?

The Open Worldwide Application Security Project is dedicated to creating a safer web application environment. It offers articles, tools, technologies, and forums to empower every developer to develop secure code. Amongst other projects, one of the most notable projects of OWASP is the OWASP Top 10.

What is OWASP Top 10?

OWASP Top 10 is a publicly shared list of the ten most critical web application vulnerabilities according to the Open Web Application Security Project. Web application security experts develop and maintain the list. The OWASP Top 10 aims to educate companies on vulnerabilities they need to mitigate to secure their web application.

This list is also under development for mobile applications.

Next to the Top 10 list, OWASP also publishes and maintains the following resources:

Supported security standards

Last updated on