Building Trust in the Security of Software
• ISO / IEC Technical Report is ISO / IEC TR 20004:2012 Information Technology – Security Techniques-- Refining Software Vulnerability Analysis under ISO / IEC 15408 and ISO / IEC 18045
The CWE / SANS Institute Top 25 Most Dangerous Software Errors is a list of the 25 most widespread and frequently exploited security weaknesses in the CWE repository. The original CISQ Automated Source Code Security Measure( ASCSM) was based on 22 of the CWE / SANS Top 25 that could be detected and counted in source code. In ISO / IEC 5055:2021, the number of security weaknesses is being expanded beyond the CWE / SANS Top 25 since there are other weaknesses severe enough to be incorporated in the CISQ measure. In addition, many CWEs also cause reliability problems and are therefore included in the CISQ reliability measure. All weaknesses in ISO 5055:2021 have been assigned CWE identifiers and are included in the CWE Repository.
Since the CWE is recognized as the primary industry repository of security weaknesses, it is supported by the majority of vendors providing tools and technology in the software security domain( http:// cwe. mitre. org / compatible / compatible. html). These vendors already have capabilities for detecting many of the CWEs. CWEs were purposely worded to be language and application agnostic in order to allow vendors to develop detectors specific to a wide range of languages and application types beyond the scope that could be covered in the CWE Repository.
ANNEX B
B. 1
APPMARQ REPOSITORY
Appmarq( www. appmarq. com) is CAST’ s application quality benchmarking repository. The data in Appmarq provide unique insight into the structural quality trends of business application software. Over the past decade, CAST has analyzed the structural quality of thousands of business applications across different industries and geographies. These industries span financial services, telecommunications, insurance, national and local governments, retail, manufacturing, and many other IT-intensive sectors. The data have been collected and anonymized from hundreds of organizations primarily across Europe, North America, and Asia.
B. 2
CRASH REPORTS
The data presented in this article are from the 2020 CRASH Report( CAST Research on Application Software Health; Curtis et al., 2020) [ 4 ]. The 2020 CRASH data drawn from the Appmarq Repository include 2,505 applications submitted by 533 organizations for analysis. In the aggregate these applications totaled 1.549 BLOC( billion lines of code). The submitting organizations are located primarily in Continental Europe( France, Belgium, Italy, Germany, and Spain), the United Kingdom, North America( the United States and Canada), and India. The sample includes applications written primarily in COBOL, Java-EE,. Net, ABAP, with smaller samples in other languages such as C, C ++, Oracle Server, and SQL Server.
14 May 2025