|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CWE-Compatible Products and Services: 22 |
The products and services listed below have achieved the final stage of MITRE's formal CWE Compatibility Program and are now "Officially CWE-Compatible." Each organization's product is now eligible to use the CWE-Compatible Product/Service logo, and their completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations Participating page as part of their product listings.
Compatible
Products are listed alphabetically by organization name:
| Coverity, Inc. | Date Declared: September 10, 2009 |
|---|
|
Web Site: |
www.coverity.com |
Quote/Declaration: Coverity recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility for our development testing solutions.
| Name: Coverity Quality Advisor | ||
| Type: Static Application Security Testing (SAST) |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Coverity Security Advisor | ||
| Type: Static Application Security Testing (SAST) |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| CXSecurity | Date Declared: January 3, 2012 |
|---|
|
Web Site: |
cxsecurity.com |
| Name: World Laboratory of Bugtraq (WLB) 2 | ||
| Type: Vulnerability Database |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Denim Group, Ltd | Date Declared: March 12, 2013 |
|---|
|
Web Site: |
www.denimgroup.com |
Quote/Declaration: ThreadFix is a software vulnerability aggregation and management solution that imports results from static, dynamic, and manual software security testing tools, providing a centralized view of defects across development projects. CWE is an important and valuable initiative that will help ThreadFix users better understand the security posture of their code.
| Name: ThreadFix | ||
| Type: Open Source Vulnerability Management Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| GrammaTech, Inc. | Date Declared: March 13, 2007 |
|---|
|
Web Site: |
www.grammatech.com |
Quote/Declaration: GrammaTech's CodeSonar is a static analysis tool for finding programming flaws and security vulnerabilities in C/C++ code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort.
| Name: CodeSonar | ||
| Type: Static Analysis Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Hewlett-Packard | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
www.hpenterprisesecurity.com/ |
Quote/Declaration: HP Application Security Center recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility for all HP Application Security Center products and services.
| Name: HP Assessment Management Platform (ASP) | ||
| Type: Enterprise Platform for Managing a Web Application Security Assessment Program |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP Fortify On Demand | ||
| Type: Static and Dynamic Analysis and Results Reporting Service |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP Fortify Real-Time Analyzer | ||
| Type: Real-Time Detection and Prevention of Attacks |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP Fortify Software Security Center | ||
| Type: Results Reporting |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP Fortify Static Code Analyzer | ||
| Type: Static Analysis and Results Reporting |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP WebInspect | ||
| Type: Dynamic Analysis Web Application Security Assessment Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| High-Tech Bridge SA | Date Declared: August 20, 2012 |
|---|
|
Web Site: |
www.htbridge.com |
Quote/Declaration: At High-Tech Bridge we strongly believe that a weakness standardization system, such as CWE, is vital to facilitate vulnerabilities classification, remediation and management. CWE Compatibility is also a perfect complement for our CVE Compatibility.
| Name: High-Tech Bridge Security Advisories | ||
| Type: Database/Knowledge Repository Based upon High-Tech Bridge's Proprietary Research |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| IBM Security Systems | Date Declared: July 10, 2012 |
|---|
|
Web Site: |
www.ibm.com |
Quote/Declaration: We recognize the importance of compliance in security standards for IBM Security AppScan Standard, Enterprise, and Source to convey maximum usability and ease-of-use.
| Name: IBM Security AppScan Standard | ||
| Type: Web Application Security Assessment Scanner |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Klocwork, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
www.klocwork.com |
Quote/Declaration: We see CWE as an important collaboration between academia, government, and industry to help mainstream the principles of secure coding. Klocwork is pleased to contribute to this initiative and have made our source code analysis tools compliant with the second level of the CWE Compatibility Program.
| Name: Klocwork Insight | ||
| Type: Assessment and Remediation Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| National Institute of Standards and Technology (NIST) | Date Declared: March 2, 2012 |
|---|
|
Web Site: |
www.nist.gov/ |
Quote/Declaration: The purpose of the SAMATE Reference Dataset (SRD) is to provide a public repository of test cases to measure the accuracy and breadth of software assurance tools; to improve tools and techniques; and to increase adoption and use of software tools, higher quality software. The CWE compatibility and effectiveness will enhance the usability of SRD among software assurance tools and users.
| Name: SAMATE Reference Dataset (SRD) | ||
| Type: Web-based Software Security Assurance Application |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Red Hat, Inc. | Date Declared: February 8, 2012 |
|---|
|
Web Site: |
www.redhat.com |
Quote/Declaration: Red Hat is engaged in CWE Compatibility for providing a common language for discussing, identifying, and dealing with the causes of vulnerabilities in its products as part of its assessment services, knowledge repositories, software development practices, and education offerings.
| Name: Red Hat Customer Portal | ||
| Type: Customer Assessment Service |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Security-Database | Date Declared: May 5, 2008 |
|---|
|
Web Site: |
www.security-database.com |
Quote/Declaration: CWE is great effort to empower organizations to better identify and eliminate programming flaws. Security-Database is pleased to support this initiative by supplying CWE information along with vulnerability information. We are also planning to ensure CWE compatibility with our next vulnerability management software.
| Name: Security-Database Web Services | ||
| Type: Web Services |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Veracode, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
www.veracode.com |
Quote/Declaration: We are pursuing CWE Compatibility because we believe in standards-based testing. It benefits the customer community and advances progress in application security when vendors adopt an industry standard. Doing so allows a common yardstick for measurement regardless of the product or service used and allows true comparisons and a common understanding of the problems affecting software applications.
| Name: Veracode Analytics | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Veracode Dynamic Analysis | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Veracode Manual Testing | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Veracode Static Analysis | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| WebLayers, Inc. | Date Declared: May 3, 2012 |
|---|
|
Web Site: |
www.weblayers.com |
Quote/Declaration: WebLayers Center Java Security Library consists of policies that map to the CWE standard and best practices. The policies provide a complete set of security specific coding guidelines targeted at the Java programming language.
| Name: WebLayers Center Security Policy Library | ||
| Type: Software Development Lifecycle (SDLC) Governance |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
|
|
|||
