Security standards and vulnerability lists supported by Lucent Sky AVM

2024/1/15 |

This article describes how Lucent Sky AVM categorizes vulnerabilities, as well as the security standards and vulnerability lists supported by different versions of Lucent Sky AVM.

How Lucent Sky AVM categorizes vulnerabilities

Lucent Sky AVM uses CWE IDs as the primary categorization mechanism. CWE uses a cascading categorization scheme, meaning that some vulnerabilities can be categorized under more than one CWE IDs. For such vulnerabilities, the Lucent Sky team works with external experts and stakeholders in deciding which CWE ID should be used.

The goal is to use the CWE IDs with identifiable and unique definitions (for example, choosing CWE-201: Information Exposure Through Sent Data over CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), while avoiding cluttering the scan results with hundreds of similar CWE IDs (for example, choosing CWE-22: Path Traversal over CWE-32: Path Traversal: '…' (Triple Dot)).

Supported security standards and vulnerability lists

This table denotes the security standards and vulnerability lists included in the Built-in rule package of Lucent Sky AVM.

Standard1 Version Lucent Sky AVM versions2  
CVE   All  
CVSS 3.1 All  
CWE3 4.13 All  
CWE Top 25   2023 2309
  2022 All  
  2021 All  
  2020 All  
  2019 All  
CWE/SANS Top 25 3.0 All  
HIPAA4   All  
MISRA C4 2004 All  
  2012 All  
MISRA C++4 2008 All  
OWASP API Security Top 10 2019 All  
OWASP ASVS 4.0 All  
OWASP Mobile Top 10 2016 All  
  2014 All  
OWASP Top 10 2021 All  
  2017 All  
  2013 All  
  2010 All  
PCI DSS5 4.0 All  
  3.2.1 All  

1. Most of the security standards and vulnerability lists include vulnerabilities beyond the scope of static code analysis. The inclusion of a specific standard or a list does not indicate the support of all vulnerabilities included in the standard or list. For more information about how Lucent Sky AVM can help organizations meet the requirements of these standards, contact Lucent Sky support.

2. Only includes supported Lucent Sky AVM versions (current as of the last revision date of this article). Also, only the then-current versions of certain security standards and vulnerability lists (such as CWE and CVSS) are supported by a specific version of Lucent Sky AVM. For the security standards, vulnerability lists, and their versions supported by a specific version of Lucent Sky AVM, contact Lucent Sky support.

3. For a list of CWE vulnerability categories supported by Lucent Sky AVM, view the following article in the Lucent Sky Knowledge Base:
List of vulnerability categories supported by Lucent Sky AVM.

4. The Built-in rule package includes vulnerability categories that cover guidelines and rules in these standards, but these standards are not available as a predefined weakness policies group.

5. To learn more about Lucent Sky AVM and PCI DSS compliance, view the following article in the Lucent Sky Knowledge Base:
Lucent Sky AVM for PCI DSS Compliance.