|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| TOTALS | |
| Organizations Participating: 19 | |
| Products & Services: 35 | |
All organizations participating in the CWE Compatibility and Effectiveness Program are listed below.
Products are listed alphabetically by organization name:
| Armorize Technologies, Inc. | Date Declared: March 09, 2007 |
|---|
|
Web Site: |
Quote/Declaration: Armorize appreciates the CWE initiative in assisting organizations in their evaluation of automated static analysis tools and is pleased to support this industry standard naming scheme for all Armorize Technologies' products and services to best served our customers.
| Name: CodeSecure Enterprise | ||
| Type: Web Application Source Code Analysis Tool | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| Name: CodeSecure Verifier | ||
| Type: Web Application Source Code Analysis Suite | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| Name: CodeSecure Workbench | ||
| Type: Web Application Source Code Analysis Tool | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| Cenzic, Inc. | Date Declared: August 27, 2008 |
|---|
|
Web Site: |
Quote/Declaration: Cenzic delivers a suite of software applications and services that will discover true web security vulnerabilities. Mapping these vulnerabilities to the CWE standard will provide additional vulnerability details and enable our customers to prioritize their remediation activities and meet compliance requirements.
| Name: Cenzic Hailstorm Professional | ||
| Type: Web Application Penetration Testing and Vulnerability Management System | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: Cenzic Hailstrom Enterprise ARC | ||
| Type: Web Application Security Risk Management Platform | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| CERIAS/Purdue University | Date Declared: February 20, 2007 |
|---|
|
Web Site: |
Quote/Declaration: The exhaustiveness and organization of the CWE coverage is attractive both as an educational tool, and to make sure that students are exposed to secure programming issues in a systematic way that is representative of the most frequent and important problems. I have started revising the secure programming slides with CWE content, and expect to be done midway through Fall 2007.
| Name: Secure programming class, CS390S | ||
| Type: Secure Programming Class and Publicly Available Teaching Materials | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Planned |
||
| Checkmarx | Date Declared: March 19, 2008 |
|---|
|
Web Site: |
Quote/Declaration: Checkmarx is an enthusiastic supporter of CWE standards and best practices. The combination of Checkmarx new generation Static Analysis Security Testing technology, together with CWE's industry's leading standards, provides the programming community a more secure and vulnerability free environment. Exposing CWE's standards to our rapidly growing customer base, both in the US and the rest of the world, has proven to be effective in identifying vulnerabilities and contributing to a more secure cyber world.
| Name: CxSuite | ||
| Type: Static Application Security Testing/Application Security Code Review | ||
| CWE Output: Yes
CWE Searchable: Planned CWE Coverage: Planned |
||
| Cigital, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
| Name: Architectural and Design Risk Management | ||
| Type: Software Security Architecture and Design Risk Assessment and Management | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Planned |
||
| Name: Secure Code Review with Automated Tools | ||
| Type: Security Code Assessment | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Planned |
||
| Name: Security Training and Awareness (various courses) | ||
| Type: Software Security Training and Awareness Courses | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Planned |
||
| EMC Corporation and RSA (The Security Division of EMC) | Date Declared: April 19, 2009 |
|---|
|
Web Site: |
Quote/Declaration: As part of the EMC Security Development Lifecycle (SDL), CWE provides us with a common framework for linking our internal practices for securing our products with other industry initiatives and standards and to leverage the work done by other members of the security industry.
| Name: EMC Product Security Policy (PSP) | ||
| Type: Enterprise Policy for Secure Product Development | ||
| CWE Output: Yes - the EMC Product Security Policy lists CWE identifiers as
part of guidance documents and compliance requirements
CWE Coverage: No - the EMC Product Security Policy is an internal processes which is not publicly available outside EMC/RSA. We occasionally share our CWE mappings with other 3rd-parties, such as tool vendors, to ensure our requirements are met by their own CWE declarations. CWE Searchable: Yes - the EMC Product Security Policy guidance and compliance documents are searchable using CWE identifiers. CWE Documentation: Yes - All documents include a reference to CWE.mitre.org and describes the purpose and usage of CWE within the document. |
||
| Name: EMC Security Development Lifecycle (SDL) | ||
| Type: Enterprise Secure Development Lifecycle | ||
| CWE Output: Yes - the EMC Security Development Lifecycle
lists CWE identifiers as part of guidance documents and compliance requirements
CWE Coverage: No - the EMC Security Development Lifecycle is an internal processes which is not publicly available outside EMC/RSA. We occasionally share our CWE mappings with other 3rd-parties, such as tool vendors, to ensure our requirements are met by their own CWE declarations. CWE Searchable: Yes - the EMC Security Development Lifecycle guidance and compliance documents are searchable using CWE identifiers CWE Documentation: Yes - All documents include a reference to CWE.mitre.org and describes the purpose and usage of CWE within the document. |
||
| Name: EMC Vulnerability Response Policy (VRP) | ||
| Type: Enterprise Response Policy for Product Vulnerabilities | ||
| CWE Coverage: No - the EMC Vulnerability Response Policy is an internal
process which is not publicly available outside EMC/RSA. We
occassionally share our CWE mappings with other 3rd-parties, such as
tool vendors, to ensure our requirements are met by their own CWE
declarations.
CWE Output: Yes - the EMC Vulnerability Response Policy analysis output is mapped to a CWE identifier CWE Searchable: Yes - the EMC Vulnerability Response Policy analysis documents, resulting from Vulnerability Response activities, can be searched by CWE identifier. CWE Documentation: Yes - All documents include a reference to CWE.mitre.org and describes the purpose and usage of CWE within the document. |
||
| Fortify Software | Date Declared: January 25, 2007 |
|---|
|
Web Site: |
Quote/Declaration: Fortify has been a strong supporter of CWE since its inception and our Security Research Group contributes new vulnerabilities on an ongoing basis. We believe that a strong industry standard will empower the industry to become more effective at identifying and eliminating vulnerabilities in software and we design our tools to support the adoption of CWE among our customers.
| Name: Fortify Source Code Analysis (SCA) | ||
| Type: Source Code Analysis Tool | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| GrammaTech, Inc. | Date Declared: March 13, 2007 |
|---|
|
Web Site: |
Quote/Declaration: GrammaTech's CodeSonar is a static analysis tool for finding programming flaws and security vulnerabilities in C/C++ code. The CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort.
| Name: CodeSonar | ||
| Type: Static Analysis Tool | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| HP Application Security Center | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
Quote/Declaration: HP Application Security Center recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of Mitre to establish the CWE standard by ensuring CWE compatibility for all HP Application Security Center products and services. - Joe Yeager, Product Manager, HP Application Security Center
| Name: HP Assessment Management Platform software | ||
| Type: Enterprise Platform for Managing a Web Application Security Assessment Program | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: HP DevInspect | ||
| Type: Web Application Security Assessment Tool for Developers | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: HP QAInspect software | ||
| Type: Web Application Security Assessment Tool for QA | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: HP SaaS for ASC | ||
| Type: Web Application Security Assessment and AMP delivered through Software-as-a-Service | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: HP WebInspect software | ||
| Type: Web Application Security Assessment Tool | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| IBM Rational | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
| Name: Rational AppScan Build Edition | ||
| Type: Web Application Security Testing Tool For QA | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: Rational AppScan Developer Edition | ||
| Type: Embedded Build-Time Web Application Security Testing Tool | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: Rational AppScan Enterprise Edition | ||
| Type: Enterprise Web Application Security Assessment Tool | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: Rational AppScan Express Edition | ||
| Type: Web Application Security Assessment Tool | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: Rational AppScan Standard Edition | ||
| Type: Web Application Security Assessment Tool | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Name: Rational AppScan Tester Edition | ||
| Type: Development-Time Web Application Security Testing Tool | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Information-Technology Promotion Agency (IPA), Japan | Date Declared: October 3, 2008 |
|---|
|
Web Site: |
Quote/Declaration: IPA is including CWE vulnerability type information in JVN iPedia to enhance the quality of JVN iPedia and to strengthen international collaboration. Users can search vulnerability information by CWE-ID and software type. Developers can utilize CWE as a means to understand and prevent vulnerabilities.
| Name: JVN iPedia | ||
| Type: Vulnerability Countermeasure Information Database | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| Klocwork, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
| Name: Klocwork Enterprise Development Suite | ||
| Type: Assessment and Remediation Tool | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Ounce Labs | Date Declared: January 25, 2007 |
|---|
|
Web Site: |
Quote/Declaration: Ounce Labs is a long-standing participant in the CWE initiative, and continues to support its efforts in developing a common platform from which existing and emerging vulnerabilities can be assessed across the broad security spectrum. Ounce is dedicated to customer success and enabling our customers to secure their business and mitigate risk today, so that they can continue to do business tomorrow.
| Name: Ounce | ||
| Type: Static Source Code Analysis Tool | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| SANS Institute | Date Declared: July 02, 2007 |
|---|
|
Web Site: |
Quote/Declaration: Working closely with CWE will help SANS ensure that questions for the Secure Programming Exams will have the broadest coverage for each language, at a level of detail that is appropriate for programmers. By monitoring additions to CWE, we will be able to stay up-to-date with the most recently discovered types of weaknesses, along with real-world CVE examples that show how these issues can manifest themselves. By using CWE identifiers, we can avoid the ambiguity in terminology that still exists, giving clear guidance to programmers about the mistakes that they must know how to avoid.
| Name: Secure Programming Exams/Assessments | ||
| Type: Professional Secure Programming Examination | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| Security-Database | Date Declared: May 5, 2008 |
|---|
|
Web Site: |
Quote/Declaration: CWE is great effort to empower organizations to better identify and eliminate programming flaws. Security-Database is pleased to support this initiative by supplying CWE information along with vulnerability information. We are also planning to ensure CWE compatibility with our next vulnerability management software.
| Name: Security-Database Web Services | ||
| Type: Web Services | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| SecurityReason | Date Declared: October 13, 2008 |
|---|
|
Web Site: |
Quote/Declaration: Mapping vulnerabilities in SecurityAlert Database to the CWE standard will provide additional vulnerability details and give our costumers industry standard terminology and classification. We are pleased to support the CWE Initiative.
| Name: SecurityAlert | ||
| Type: Web Application Security Risk Management Platform | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
| SkillBridge, LLC | Date Declared: January 11, 2008 |
|---|
|
Web Site: |
Quote/Declaration: SkillBridge is pursuing CWE compatibility for its Secure Programming training offerings to better incorporate industry standards and best practices into the solutions we provide to our client base.
| Name: Secure Application Development Training Courses | ||
| Type: Instructor Led Training | ||
| CWE Output: Planned
CWE Searchable: Planned CWE Coverage: Planned |
||
| SofCheck Inc. | Date Declared: March 02, 2007 |
|---|
|
Web Site: |
Quote/Declaration: SofCheck Inspector is a new Static Analysis and fault detection Tool. It uses static control-flow, data-flow, and possible-value-set propagation techniques to identify places where run-time errors could occur. Since 50%+ of all Vulnerabilities instances result from errors in the application code this automated software quality technique allows vulnerabilities to be identified and eliminated very early in the software life cycle.
| Name: SofCheck Inspector for Ada | ||
| Type: Static Analysis and Fault Detection Tool | ||
| CWE Output: Planned
CWE Searchable: Yes CWE Coverage: Planned |
||
| Veracode, Inc. | Date Declared: February 05, 2007 |
|---|
|
Web Site: |
Quote/Declaration: Veracode feels strongly that standards in naming and measurement are required to advance the state of software assurance. We have built our technology and service offering with CWE IDs as our base identifier as we feel our customers are best served by this industry standard naming scheme. We also look forward to completing the effectiveness phase as soon as possible so we can showcase our security analysis capabilities to potential customers without the requirement of time consuming evaluations.
| Name: SecurityReview | ||
| Type: Assessment Service | ||
| CWE Output: Yes
CWE Searchable: Yes CWE Coverage: Yes |
||
|
|
|||
