CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > Compatibility > CWE-Compatible Products and Services  

CWE-Compatible Products and Services
CWE-Compatible Products and Services

CWE-Compatible Products and Services: 27

The products and services listed below have achieved the final stage of MITRE's formal CWE Compatibility Program and are now "Officially CWE-Compatible." Each organization's product is now eligible to use the CWE-Compatible Product/Service logo, and their completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations Participating page as part of their product listings.


Compatible

Products are listed alphabetically by organization name:

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
Conviso Application Security Date Declared: April 12, 2013

Web Site:

Quote/Declaration: Because just ļ¬nding bugs isn't enough!

Name: Conviso Security Compliance (CSC)
Type: Vulnerability Identification and Management  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Sep 5, 2013
Coverity, Inc. Date Declared: September 10, 2009

Web Site:

Quote/Declaration: Coverity recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility for our development testing solutions.

Name: Coverity Quality Advisor
Type: Static Application Security Testing (SAST)  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: Coverity Security Advisor
Type: Static Application Security Testing (SAST)  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
 
Cr0security Date Declared: December 11, 2013

Web Site:

Quote/Declaration: Cr0security focuses on software application security and professional security services and supports the CWE standard.

— Yuda Prawira, COO and Founder, Cr0security
Name: Cr0security Certified Security Testing
Type: Professional Security Testing Certification  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: Cr0security Penetration Testing and Consultant Services
Type: Network Penetration Testing and Vulnerability Assessment Services  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Dec 11, 2013
CXSecurity Date Declared: January 3, 2012

Web Site:

Name: World Laboratory of Bugtraq (WLB) 2
Type: Vulnerability Database  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
 
Denim Group, Ltd Date Declared: March 12, 2013

Web Site:

Quote/Declaration: ThreadFix is a software vulnerability aggregation and management solution that imports results from static, dynamic, and manual software security testing tools, providing a centralized view of defects across development projects. CWE is an important and valuable initiative that will help ThreadFix users better understand the security posture of their code.

Name: ThreadFix
Type: Open Source Vulnerability Management Tool  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
 
Fasoo.com, Inc. Date Declared: August 8, 2012

Web Site:

Quote/Declaration: Fasoo.com's SPARROW is a source code analysis tool that has both semantic and syntactic analysis engines. SPARROW detects runtime errors, security vulnerabilities, and coding convention violations in various programming languages (C/C++/Java/JSP/Android Java). Fasoo.com is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE Compatibility for our product.

Name: SPARROW
Type: Semantic-Based Static Program Analysis Tool  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Aug 9, 2013
GrammaTech, Inc. Date Declared: March 13, 2007

Web Site:

Quote/Declaration: GrammaTech's CodeSonar is a static analysis tool for finding programming flaws and security vulnerabilities in C/C++ code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort.

Name: CodeSonar
Type: Static Analysis Tool  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
 
High-Tech Bridge SA Date Declared: August 20, 2012

Web Site:

Quote/Declaration: At High-Tech Bridge we strongly believe that CWE information security standard makes security measurable and universal, from which customers, vendors and security researchers benefit. We are grateful to the efforts of MITRE Corporation for continuous CWE standard development and support.

Name: High-Tech Bridge Security Advisories
Type: Database/Knowledge Repository Based upon High-Tech Bridge's Proprietary Research  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: ImmuniWeb
Type: SaaS Web Application Vulnerability Assessment Service  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Jun 11, 2013
HP Date Declared: February 05, 2007

Web Site:

Quote/Declaration: HP Application Security Center recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility for all HP Application Security Center products and services.

— Joe Yeager, Product Manager, HP Application Security Center
Name: HP Assessment Management Platform (ASP)
Type: Enterprise Platform for Managing a Web Application Security Assessment Program  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: HP Fortify On Demand
Type: Static and Dynamic Analysis and Results Reporting Service  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: HP Fortify Real-Time Analyzer
Type: Real-Time Detection and Prevention of Attacks  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: HP Fortify Software Security Center
Type: Results Reporting  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: HP Fortify Static Code Analyzer
Type: Static Analysis and Results Reporting  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: HP WebInspect
Type: Dynamic Analysis Web Application Security Assessment Tool  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Feb 25, 2014
IBM Security Systems Date Declared: July 10, 2012

Web Site:

Quote/Declaration: IBM actively promotes, supports, and contributes to the emerging open systems standards such as CVE that enable technology management software in the IBM Security portfolio of intrusion detection, vulnerability assessment, end point management, and security management components to inter-operate and share management information. We know that open system standards are a critical step in this direction. We support CVE as the first and the most complete naming convention for vulnerability mapping in the industry and we are committed to using CVE within our product in a tightly integrated fashion.

Name: IBM Security AppScan Standard
Type: Web Application Security Assessment Scanner  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Feb 25, 2014
Klocwork, Inc. Date Declared: February 05, 2007

Web Site:

Quote/Declaration: We see CWE as an important collaboration between academia, government, and industry to help mainstream the principles of secure coding. Klocwork is pleased to contribute to this initiative and have made our source code analysis tools compliant with the second level of the CWE Compatibility Program.

Name: Klocwork Insight
Type: Assessment and Remediation Tool  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
 
National Institute of Standards and Technology (NIST) Date Declared: March 2, 2012

Web Site:

Quote/Declaration: The purpose of the Software Assurance Reference Dataset (SARD) is to provide a public repository of test cases to measure the accuracy and breadth of software assurance tools; to improve tools and techniques; and to increase adoption and use of software tools, higher quality software. The CWE compatibility and effectiveness will enhance the usability of SRD among software assurance tools and users.

Name: Software Assurance Reference Dataset (SARD)
Type: Web-based Software Security Assurance Application  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: May 8, 2014
Red Hat, Inc. Date Declared: February 8, 2012

Web Site:

Quote/Declaration: Red Hat is engaged in CWE Compatibility for providing a common language for discussing, identifying, and dealing with the causes of vulnerabilities in its products as part of its assessment services, knowledge repositories, software development practices, and education offerings.

Name: Red Hat Customer Portal
Type: Customer Assessment Service  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: October 24, 2012
Security-Database Date Declared: May 5, 2008

Web Site:

Quote/Declaration: CWE is great effort to empower organizations to better identify and eliminate programming flaws. Security-Database is pleased to support this initiative by supplying CWE information along with vulnerability information. We are also planning to ensure CWE compatibility with our next vulnerability management software.

Name: Security-Database Web Services
Type: Web Services  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Mar 3, 2014
Veracode, Inc. Date Declared: February 05, 2007

Web Site:

Quote/Declaration: We are pursuing CWE Compatibility because we believe in standards-based testing. It benefits the customer community and advances progress in application security when vendors adopt an industry standard. Doing so allows a common yardstick for measurement regardless of the product or service used and allows true comparisons and a common understanding of the problems affecting software applications.

Name: Veracode Analytics
Type: SAST, DAST, Manual Penetration Testing  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: Veracode Dynamic Analysis
Type: SAST, DAST, Manual Penetration Testing  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: Veracode Manual Testing
Type: SAST, DAST, Manual Penetration Testing  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
Name: Veracode Static Analysis
Type: SAST, DAST, Manual Penetration Testing  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: Oct 10, 2013
WebLayers, Inc. Date Declared: May 3, 2012

Web Site:

Quote/Declaration: WebLayers Center Java Security Library consists of policies that map to the CWE standard and best practices. The policies provide a complete set of security specific coding guidelines targeted at the Java programming language.

Name: WebLayers Center Security Policy Library
Type: Software Development Lifecycle (SDLC) Governance  
CWE Coverage: Yes
CWE Output: Yes
CWE Searchable: Yes
Review Completed Questionnaire
  Last Updated: April 5, 2013
Page Last Updated: May 08, 2014