|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| TOTALS | |
| Organizations Participating: 40 | |
| Products & Services: 70 | |
All organizations participating in the CWE Compatibility and Effectiveness Program are listed below.
Products are listed alphabetically by organization name:
| Apple Computer, Inc. | Date Declared: September 10, 2009 |
|---|
|
Web Site: |
| Name: Secure Development Lifecycle | ||
| Type: Secure Development Lifecycle | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
No
|
||
| Armorize Technologies, Inc. | Date Declared: March 09, 2007 |
|---|
|
Web Site: |
Quote/Declaration: Armorize appreciates the CWE initiative in assisting organizations in their evaluation of automated static analysis tools and is pleased to support this industry standard naming scheme for all Armorize Technologies' products and services to best served our customers.
| Name: CodeSecure Enterprise | ||
| Type: Web Application Source Code Analysis Tool | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: CodeSecure Verifier | ||
| Type: Web Application Source Code Analysis Suite | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: CodeSecure Workbench | ||
| Type: Web Application Source Code Analysis Tool | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Astyran Pte Ltd. | Date Declared: August 10, 2011 |
|---|
|
Web Site: |
Quote/Declaration: Astyran uses CWE in all of its vulnerability assessment reports and code or design review reports in order to have a common language and industry standard classification to discuss issues found with stakeholders.
| Name: Secure Code Review | ||
| Type: Secure Code Review | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: Secure Design Review | ||
| Type: Secure Design Review | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: Web Application Vulnerability Assessment | ||
| Type: Application Vulnerability Assessment | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| CAST | Date Declared: September 17, 2009 |
|---|
|
Web Site: |
Quote/Declaration: CAST's mission for 18 years has been to enable IT organizations to manage non-functional software risk, quality and measurement issues for better business outcomes. CAST has always believed in an industry-led, standards-based approach to ensure proper coverage. Along with ISO, SEI and de facto quality & measurement standards, CAST views CWE as an important new contribution to the canon that can be brought to bear on business issues.
| Name: CAST Application Intelligence Platform | ||
| Type: Automated Application Assessment Platform | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Cenzic, Inc. | Date Declared: August 27, 2008 |
|---|
|
Web Site: |
Quote/Declaration: Cenzic delivers a suite of software applications and services that will discover true web security vulnerabilities. Mapping these vulnerabilities to the CWE standard will provide additional vulnerability details and enable our customers to prioritize their remediation activities and meet compliance requirements.
| Name: Cenzic Hailstorm Enterprise ARC | ||
| Type: Web Application Security Risk Management Platform | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: Cenzic Hailstorm Professional | ||
| Type: Web Application Penetration Testing and Vulnerability Management System | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| CERIAS/Purdue University | Date Declared: February 20, 2007 |
|---|
|
Web Site: |
Quote/Declaration: The exhaustiveness and organization of the CWE coverage is attractive both as an educational tool, and to make sure that students are exposed to secure programming issues in a systematic way that is representative of the most frequent and important problems. I have started revising the secure programming slides with CWE content, and expect to be done midway through Fall 2007.
| Name: Secure programming class, CS390S | ||
| Type: Secure Programming Class and Publicly Available Teaching Materials | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Checkmarx | Date Declared: March 19, 2008 |
|---|
|
Web Site: |
Quote/Declaration: Checkmarx is an enthusiastic supporter of CWE standards and best practices. The combination of Checkmarx new generation Static Analysis Security Testing technology for all major coding languages including mobile (Android/iOS) and localization to various languages, together with CWE's industry leading standards, provides the programming community a more secure and vulnerability free environment. Exposing CWE's standards to our rapidly growing customer base, both in the U.S. and the rest of the world, has proven to be effective in identifying vulnerabilities and contributing to a more secure cyber world.
| Name: CxCloud | ||
| Type: Static Code Analysis On Demand | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: CxEnteprise | ||
| Type: Static Code Analysis On Premise | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: CxSuite | ||
| Type: Static Application Security Testing/Application Security Code Review | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Cigital, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
| Name: Architectural and Design Risk Management | ||
| Type: Software Security Architecture and Design Risk Assessment and Management | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: Secure Code Review with Automated Tools | ||
| Type: Security Code Assessment | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: Security Training and Awareness (various courses) | ||
| Type: Software Security Training and Awareness Courses | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Codenomicon Ltd. | Date Declared: September 10, 2009 |
|---|
|
Web Site: |
Quote/Declaration: DEFENSICS X is a fuzzing solution that tests devices and services for implementation level vulnerabilities. CWE categorization is used as a part of root cause analysis that helps end user to understand the potential impacts and the nature of discovered vulnerabilities.
| Name: DEFENSICS X | ||
| Type: Fuzz Testing Tool with Integrated Capability to Report CWE Identifiers and Descriptions for Found Vulnerabilities | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Conviso Application Security | Date Declared: April 12, 2013 |
|---|
|
Web Site: |
Quote/Declaration: Because just finding bugs isn't enough!
| Name: Conviso Security Compliance (CSC) | ||
| Type: Vulnerability Identification and Management | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Coverity, Inc. | Date Declared: September 10, 2009 |
|---|
|
Web Site: |
Quote/Declaration: Coverity recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility for our development testing solutions.
| Name: Coverity Quality Advisor | ||
| Type: Static Application Security Testing (SAST) |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Coverity Security Advisor | ||
| Type: Static Application Security Testing (SAST) |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| CXSecurity | Date Declared: January 3, 2012 |
|---|
|
Web Site: |
| Name: World Laboratory of Bugtraq (WLB) 2 | ||
| Type: Vulnerability Database |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: cIFrex | ||
| Type: Free Security Research Tool | ||
|
CWE Coverage:
Yes
CWE Documentation:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Denim Group, Ltd | Date Declared: March 12, 2013 |
|---|
|
Web Site: |
Quote/Declaration: ThreadFix is a software vulnerability aggregation and management solution that imports results from static, dynamic, and manual software security testing tools, providing a centralized view of defects across development projects. CWE is an important and valuable initiative that will help ThreadFix users better understand the security posture of their code.
| Name: ThreadFix | ||
| Type: Open Source Vulnerability Management Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| EC-Council | Date Declared: July 17, 2011 |
|---|
|
Web Site: |
Quote/Declaration: EC-Council delivers a secure software coding course that will help individuals discover and plug serious web security vulnerabilities. Mapping these vulnerabilities to the CWE standard will provide additional vulnerability details and enable our customers to prioritize their remediation activities and meet compliance requirements. Through this initiative, users can search vulnerability information by CWE-ID and software type. Developers can utilize CWE as a means to understand and prevent vulnerabilities.
| Name: EC-Council Certified Secure Programmer | ||
| Type: Secure Programmer Certification Program | ||
|
CWE Coverage:
No
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| EMC Corporation and RSA (The Security Division of EMC) | Date Declared: April 19, 2009 |
|---|
|
Web Site: |
Quote/Declaration: As part of the EMC Security Development Lifecycle (SDL), CWE provides us with a common framework for linking our internal practices for securing our products with other industry initiatives and standards and to leverage the work done by other members of the security industry.
| Name: EMC Product Security Policy (PSP) | ||
| Type: Enterprise Policy for Secure Product Development | ||
|
CWE Coverage:
No
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: EMC Security Development Lifecycle (SDL) | ||
| Type: Enterprise Secure Development Lifecycle | ||
|
CWE Coverage:
No
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: EMC Vulnerability Response Policy (VRP) | ||
| Type: Enterprise Response Policy for Product Vulnerabilities | ||
|
CWE Coverage:
No
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Fasoo.com, Inc. | Date Declared: August 8, 2012 |
|---|
|
Web Site: |
| Name: SPARROW | ||
| Type: Semantic-Based Static Program Analysis Engine | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| GrammaTech, Inc. | Date Declared: March 13, 2007 |
|---|
|
Web Site: |
Quote/Declaration: GrammaTech's CodeSonar is a static analysis tool for finding programming flaws and security vulnerabilities in C/C++ code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort.
| Name: CodeSonar | ||
| Type: Static Analysis Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Hewlett-Packard | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
Quote/Declaration: HP Application Security Center recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility for all HP Application Security Center products and services.
| Name: HP Assessment Management Platform (ASP) | ||
| Type: Enterprise Platform for Managing a Web Application Security Assessment Program |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP DevInspect | ||
| Type: Web Application Security Assessment Tool for Developers | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| Name: HP Fortify On Demand | ||
| Type: Static and Dynamic Analysis and Results Reporting Service |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP Fortify Real-Time Analyzer | ||
| Type: Real-Time Detection and Prevention of Attacks |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP Fortify Software Security Center | ||
| Type: Results Reporting |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP Fortify Static Code Analyzer | ||
| Type: Static Analysis and Results Reporting |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: HP QAInspect | ||
| Type: Web Application Security Assessment Tool for QA | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| Name: HP SaaS for ASC | ||
| Type: Web Application Security Assessment and AMP delivered through Software-as-a-Service | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| Name: HP WebInspect | ||
| Type: Dynamic Analysis Web Application Security Assessment Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| High-Tech Bridge SA | Date Declared: August 20, 2012 |
|---|
|
Web Site: |
Quote/Declaration: At High-Tech Bridge we strongly believe that a weakness standardization system, such as CWE, is vital to facilitate vulnerabilities classification, remediation and management. CWE Compatibility is also a perfect complement for our CVE Compatibility.
| Name: High-Tech Bridge Security Advisories | ||
| Type: Database/Knowledge Repository Based upon High-Tech Bridge's Proprietary Research |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| IBM Rational | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
| Name: Rational AppScan Tester Edition | ||
| Type: Development-Time Web Application Security Testing Tool | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| IBM Security Systems | Date Declared: July 10, 2012 |
|---|
|
Web Site: |
Quote/Declaration: We recognize the importance of compliance in security standards for IBM Security AppScan Standard, Enterprise, and Source to convey maximum usability and ease-of-use.
| Name: IBM Security AppScan Enterprise | ||
| Type: Enterprise Web Application Security Assessment Tool | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| Name: IBM Security AppScan Source | ||
| Type: Source Code Testing Tool | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: IBM Security AppScan Standard | ||
| Type: Web Application Security Assessment Scanner |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Information-technology Promotion Agency, Japan (IPA) | Date Declared: October 3, 2008 |
|---|
|
Web Site: |
Quote/Declaration: IPA is including CWE vulnerability type information in JVN iPedia to enhance the quality of JVN iPedia and to strengthen international collaboration. Users can search vulnerability information by CWE-ID and software type. Developers can utilize CWE as a means to understand and prevent vulnerabilities.
| Name: JVN iPedia | ||
| Type: Vulnerability Countermeasure Information Database | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: MyJVN | ||
| Type: Filtered Vulnerability Countermeasure Information Tool | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| ISC2 The International Information Systems Security Certification Consortium | Date Declared: September 8, 2009 |
|---|
|
Web Site: |
Quote/Declaration: (ISC)2® created the Certified Secure Software Lifecycle Professional (CSSLPCM) education and certification program with the assistance of individuals from organizations including The Department of Homeland Security, Microsoft, Cisco, Xerox, and Symantec. The CSSLP Education and Certification program assists organizations in building security initiatives throughout the software development lifecycle and establishes a baseline of competency for individuals and organizations committed to reducing application vulnerability much like CWE.
| Name: Certification of Software Lifecycle Personnel | ||
| Type: Professional Certification | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Planned
|
||
| KDM Analytics | Date Declared: September 17, 2009 |
|---|
|
Web Site: |
Quote/Declaration: KDM Analytics supports and uses CWE because it makes perfect sense to have vulnerability/weakness reporting standard.
| Name: Software Assurance Assessment | ||
| Type: Software Assurance Assessment Service | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: Tool Output Integration Framework (TOIF) | ||
| Type: Open Source Vulnerability Detection Platform | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Klocwork, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
Quote/Declaration: We see CWE as an important collaboration between academia, government, and industry to help mainstream the principles of secure coding. Klocwork is pleased to contribute to this initiative and have made our source code analysis tools compliant with the second level of the CWE Compatibility Program.
| Name: Klocwork Insight | ||
| Type: Assessment and Remediation Tool |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| LDRA | Date Declared: September 16, 2009 |
|---|
|
Web Site: |
Quote/Declaration: LDRA has been a valuable contributor to the software security industry and its standardization process. The next step in this endeavor is establishing CWE compatibility and effectiveness as a top priority for the LDRA Tool Suite.
| Name: LDRA Testbed | ||
| Type: Static and Dynamic Software Analysis Tool Suite | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Name: TBvision | ||
| Type: Static and Dynamic Software Analysis Tool Suite | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| National Institute of Standards and Technology (NIST) | Date Declared: March 2, 2012 |
|---|
|
Web Site: |
Quote/Declaration: The purpose of the SAMATE Reference Dataset (SRD) is to provide a public repository of test cases to measure the accuracy and breadth of software assurance tools; to improve tools and techniques; and to increase adoption and use of software tools, higher quality software. The CWE compatibility and effectiveness will enhance the usability of SRD among software assurance tools and users.
| Name: SAMATE Reference Dataset (SRD) | ||
| Type: Web-based Software Security Assurance Application |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| NETpeas, SA | Date Declared: January 19, 2012 |
|---|
|
Web Site: |
Quote/Declaration: COREvidence initiates, correlates, and aggregates different results from multi-engines and APIs Vulnerability and malware scanners providing dashboards and deliverable with relevant CWE information combined with other open standards. COREvidence is also able to tag vulnerability with The CWE/SANS Top 25 Most Dangerous Software Errors.
| Name: COREvidence | ||
| Type: Cloud-Based, Multi-Engines Vulnerability Management Service | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Planned
|
||
| Parasoft Corporation | Date Declared: September 14, 2009 |
|---|
|
Web Site: |
| Name: Jtest | ||
| Type: Java Software Quality Analysis and Testing Solution | ||
|
CWE Coverage:
Planned
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Programming Research, Inc. | Date Declared: September 17, 2009 |
|---|
|
Web Site: |
Quote/Declaration: PRQA is the leader in automated coding standards enforcement and defect prevention in C and C++ source code. Our support of CWE enhances our ability to close security vulnerabilities. We are committed to the safety and security of our client's source pools by supporting CWE on an ongoing basis.
| Name: QA*C - CWE Compliance Module for C Programming Language | ||
| Type: Source Code Static Analysis Product Suite | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| Name: QA*CPP - CWE Compliance Module for C++ Programming Language | ||
| Type: Source Code Static Analysis Product Suite | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| Red Hat, Inc. | Date Declared: February 8, 2012 |
|---|
|
Web Site: |
Quote/Declaration: Red Hat is engaged in CWE Compatibility for providing a common language for discussing, identifying, and dealing with the causes of vulnerabilities in its products as part of its assessment services, knowledge repositories, software development practices, and education offerings.
| Name: Red Hat Customer Portal | ||
| Type: Customer Assessment Service |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| SANS Institute | Date Declared: July 02, 2007 |
|---|
|
Web Site: |
Quote/Declaration: Working closely with CWE will help SANS ensure that questions for the Secure Programming Exams will have the broadest coverage for each language, at a level of detail that is appropriate for programmers. By monitoring additions to CWE, we will be able to stay up-to-date with the most recently discovered types of weaknesses, along with real-world CVE examples that show how these issues can manifest themselves. By using CWE identifiers, we can avoid the ambiguity in terminology that still exists, giving clear guidance to programmers about the mistakes that they must know how to avoid.
| Name: Secure Programming Exams/Assessments | ||
| Type: Professional Secure Programming Examination | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| SD Elements | Date Declared: March 22, 2012 |
|---|
|
Web Site: |
Quote/Declaration: SDElements uses CWE to identify potential problems and correlate the requirements and security audits. SDElements is CWE-searchable, CWE-friendly, and intends to use the CWE traits as a standard to be able to integrate and work with other security product such as static analysis tools.
| Name: SDElements | ||
| Type: Secure Application Lifecycle Management (SALM) Tool | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Security-Database | Date Declared: May 5, 2008 |
|---|
|
Web Site: |
Quote/Declaration: CWE is great effort to empower organizations to better identify and eliminate programming flaws. Security-Database is pleased to support this initiative by supplying CWE information along with vulnerability information. We are also planning to ensure CWE compatibility with our next vulnerability management software.
| Name: Security-Database Web Services | ||
| Type: Web Services |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| SecurityReason | Date Declared: October 13, 2008 |
|---|
|
Web Site: |
Quote/Declaration: Mapping vulnerabilities in SecurityAlert Database to the CWE standard will provide additional vulnerability details and give our costumers industry standard terminology and classification. We are pleased to support the CWE Initiative.
| Name: SecurityAlert | ||
| Type: Web Application Security Risk Management Platform | ||
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| SkillBridge, LLC | Date Declared: January 11, 2008 |
|---|
|
Web Site: |
Quote/Declaration: SkillBridge is pursuing CWE compatibility for its Secure Programming training offerings to better incorporate industry standards and best practices into the solutions we provide to our client base.
| Name: Secure Application Development Training Courses | ||
| Type: Instructor Led Training | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Planned
|
||
| SofCheck Inc. | Date Declared: March 02, 2007 |
|---|
|
Web Site: |
Quote/Declaration: SofCheck Inspector is a new Static Analysis and fault detection Tool. It uses static control-flow, data-flow, and possible-value-set propagation techniques to identify places where run-time errors could occur. Since 50%+ of all Vulnerabilities instances result from errors in the application code this automated software quality technique allows vulnerabilities to be identified and eliminated very early in the software life cycle.
| Name: SofCheck Inspector for Ada | ||
| Type: Static Analysis and Fault Detection Tool | ||
|
CWE Coverage:
Planned
CWE Output:
Planned
CWE Searchable:
Yes
|
||
| Symantec Corporation | Date Declared: September 24, 2010 |
|---|
|
Web Site: |
Quote/Declaration: CWE is the de facto common language used by all Symantec Product Security teams around the world to classify vulnerabilities and incidents. The use of CWE helps Symantec to: Decide where to invest resources Fine tune educational efforts to address company's needs Verify whether the current process is indeed proactively catching critical vulnerabilities Communicate findings effectively to different audiences.
| Name: Symantec Product Security | ||
| Type: Symmunize (Symantec's Secure Development Lifecycle Process) | ||
|
CWE Coverage:
No
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Veracode, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
Quote/Declaration: We are pursuing CWE Compatibility because we believe in standards-based testing. It benefits the customer community and advances progress in application security when vendors adopt an industry standard. Doing so allows a common yardstick for measurement regardless of the product or service used and allows true comparisons and a common understanding of the problems affecting software applications.
| Name: Veracode Analytics | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Veracode Dynamic Analysis | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Veracode Manual Testing | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| Name: Veracode Static Analysis | ||
| Type: SAST, DAST, Manual Penetration Testing |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
| WebLayers, Inc. | Date Declared: May 3, 2012 |
|---|
|
Web Site: |
Quote/Declaration: WebLayers Center Java Security Library consists of policies that map to the CWE standard and best practices. The policies provide a complete set of security specific coding guidelines targeted at the Java programming language.
| Name: WebLayers Center Security Policy Library | ||
| Type: Software Development Lifecycle (SDLC) Governance |
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
||
| Review Completed Questionnaire | ||
|
|
|||
