CISQ Automated Source Code Measure for Data Protection
I would appreciate having a CWE/CAPEC Board discussion about promoting/extending the use of CWE to better support organizational needs for data protection and privacy. Obviously, beyond what is presented below and attached, there are additional applicable CWEs in hardware design and system architecture and design that could be presented on the CWE website under a Data Protection View.
On 13 Oct, during the CISQ Cyber Resilience Summit, we provided a presentation entitled "Measuring Data Privacy and Protection in Software for CMMC, GDPR, CCPA, and HIPAA."
Data protection and privacy are at the top of many organizational priorities, and many will be undergoing process assessments associated with CMMC for CUI (based on NIST SP 800-171), GDPR, CCPA, ISO 27001, NIST SP 800-53 r5, etc.
Scanning code that will run or is running in enterprise network-connected assets that process or transmit data would determine if the systems or devices enable data leakage or lack adequate protections to mitigate unauthorized access to read or modify data. If so, then such a scan would reveal if the data protection/privacy controls associated with the process assessment were inadequately implemented.
The CISQ Automated Source Code Data Protection Measure (ASCDPM) could be used in application security testing to provide independent verification of processes revealing source vectors for data leakage or data corruption; providing indicators for non-compliance with respective Data Protection/Privacy guidelines.
The measure elements (weaknesses violating software quality rules) that compose the CISQ ASCDPM contain 36 parent weaknesses and 53 contributing weaknesses - 100% based on the Common Weakness Enumeration (CWE). The CISQ ASCDPM is provided, along with a mapping of relevant process controls in NIST SP 800-171 and 800-53, and ISO/IEC27001. Also, a sample of a report that could be used by any tool that detects these CWEs.