SAST Compliance Standards

Overview

Mend SAST offers several report formats to help you in creating compliance reports on your application for auditing and other inspections. We provide reports based on the industry standards outlined in the table below:

List of Standards

Standard	Industry	Description
Open Web Application Security Project (OWASP) OWASP TOP 10 2017 OWASP TOP 10 2021 OWASP TOP 10 2025	All	From the official OWASP website: “The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.”
National Institute of Standards and Technology (NIST)	US Government and associated entities	From the official NIST website, their mission is: ”To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
Common Attack Pattern Enumeration and Classification (CAPEC)	All	From the official CAPEC website: “[CAPEC] provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.”
SysAdmin, Audit, Network, and Security (SANS) / Common Weakness Enumeration (CWE) SANS / CWE TOP 25	All	From the official CWE website: ”This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.”
Health Insurance Portability and Accountability Act (HIPAA)	Healthcare	From the official HIPAA website: ”While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or e-PHI.”
Health Information Trust Alliance (HITRUST)	Healthcare	From the official HITRUST website: ”HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks, related assessments, and assurance methodologies.”
Payment Card Industry Data Security Standard (PCI DSS) PCI DSS 3.2 PCI DSS 4.0	Finance	From the official PCI SSC website, their mission is: ”The PCI SSC mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.” The PCI DSS is a part of the PCI SSC’s governance.
MISRA C: 2025 C++: 2023 version	Automotive, Embedded Systems	MISRA provides world-leading best practice guidelines for the safe and secure application of both embedded control systems and standalone software.

Compliance Standard CWE Coverage