A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

Apple	Date Declared: September 10, 2009

Web Site:

www.apple.com

Name: Secure Development Lifecycle
Type: Secure Development Lifecycle
CWE Coverage: Yes - documents reference cwe.mitre.org, and describe the purpose and usage of CWE CWE Output: Yes - CWE identifiers are provided in internal guidance documents CWE Searchable: No - Apple's use of CWE is for internal use only CWE Documentation: No - Apple's use of CWE is for internal use only

Armorize Technologies, Inc.	Date Declared: March 09, 2007

Web Site:

www.armorize.com

Quote/Declaration: Armorize appreciates the CWE initiative in assisting organizations in their evaluation of automated static analysis tools and is pleased to support this industry standard naming scheme for all Armorize Technologies' products and services to best served our customers.

Name: CodeSecure Enterprise
Type: Web Application Source Code Analysis Tool
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

Name: CodeSecure Verifier
Type: Web Application Source Code Analysis Suite
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

Name: CodeSecure Workbench
Type: Web Application Source Code Analysis Tool
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

CAST	Date Declared: September 17, 2009

Web Site:

www.castsoftware.com

Quote/Declaration: CAST's mission for 18 years has been to enable IT organizations to manage non-functional software risk, quality and measurement issues for better business outcomes. CAST has always believed in an industry-led, standards-based approach to ensure proper coverage. Along with ISO, SEI and de facto quality & measurement standards, CAST views CWE as an important new contribution to the canon that can be brought to bear on business issues.

Name: CAST Application Intelligence Platform
Type: Automated Application Assessment Platform
CWE Output: Yes CWE Searchable: Yes CWE Documentation: Planned CWE Coverage: Yes

Cenzic, Inc.	Date Declared: August 27, 2008

Web Site:

www.cenzic.com

Quote/Declaration: Cenzic delivers a suite of software applications and services that will discover true web security vulnerabilities. Mapping these vulnerabilities to the CWE standard will provide additional vulnerability details and enable our customers to prioritize their remediation activities and meet compliance requirements.

Name: Cenzic Hailstorm Professional
Type: Web Application Penetration Testing and Vulnerability Management System
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

Name: Cenzic Hailstrom Enterprise ARC
Type: Web Application Security Risk Management Platform
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

CERIAS/Purdue University	Date Declared: February 20, 2007

Web Site:

www.cerias.purdue.edu

Quote/Declaration: The exhaustiveness and organization of the CWE coverage is attractive both as an educational tool, and to make sure that students are exposed to secure programming issues in a systematic way that is representative of the most frequent and important problems. I have started revising the secure programming slides with CWE content, and expect to be done midway through Fall 2007.

Name: Secure programming class, CS390S
Type: Secure Programming Class and Publicly Available Teaching Materials
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Planned

Checkmarx	Date Declared: March 19, 2008

Web Site:

www.checkmarx.com

Quote/Declaration: Checkmarx is an enthusiastic supporter of CWE standards and best practices. The combination of Checkmarx new generation Static Analysis Security Testing technology, together with CWE's industry's leading standards, provides the programming community a more secure and vulnerability free environment. Exposing CWE's standards to our rapidly growing customer base, both in the US and the rest of the world, has proven to be effective in identifying vulnerabilities and contributing to a more secure cyber world.

Name: CxSuite
Type: Static Application Security Testing/Application Security Code Review
CWE Output: Yes CWE Searchable: Planned CWE Coverage: Planned

Cigital, Inc.	Date Declared: February 05, 2007

Web Site:

www.cigital.com

Name: Architectural and Design Risk Management
Type: Software Security Architecture and Design Risk Assessment and Management
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Planned

Name: Secure Code Review with Automated Tools
Type: Security Code Assessment
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Planned

Name: Security Training and Awareness (various courses)
Type: Software Security Training and Awareness Courses
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Planned

Codenomicon Ltd.	Date Declared: September 10, 2009

Web Site:

www.codenomicon.com

Quote/Declaration: DEFENSICS 3 is a fuzzing solution that tests devices and services for implementation level vulnerabilities. CWE categorization is used as a part of root cause analysis that helps end user to understand the potential impacts and the nature of discovered vulnerabilities.

Name: DEFENSICS 3
Type: Fuzz Testing Tool with Integrated Capability to Report CWE Identifiers and Descriptions for Found Vulnerabilities
CWE Output: Yes CWE Searchable: Yes CWE Documentation: Yes CWE Coverage: Planned

Coverity, Inc.	Date Declared: September 10, 2009

Web Site:

www.coverity.com

Name: Coverity Integrity Center
Type: Static Analysis Tool
CWE Output: Planned CWE Searchable: Planned CWE Documentation: Planned CWE Coverage: Planned

Name: Coverity Prevent
Type: Static Analysis Tool
CWE Output: Planned CWE Searchable: Planned CWE Documentation: Planned CWE Coverage: Planned

EMC Corporation and RSA (The Security Division of EMC)	Date Declared: April 19, 2009

Web Site:

www.emc.com/

Quote/Declaration: As part of the EMC Security Development Lifecycle (SDL), CWE provides us with a common framework for linking our internal practices for securing our products with other industry initiatives and standards and to leverage the work done by other members of the security industry.

Name: EMC Product Security Policy (PSP)
Type: Enterprise Policy for Secure Product Development
CWE Output: Yes - the EMC Product Security Policy lists CWE identifiers as part of guidance documents and compliance requirements CWE Coverage: No - the EMC Product Security Policy is an internal processes which is not publicly available outside EMC/RSA. We occasionally share our CWE mappings with other 3rd-parties, such as tool vendors, to ensure our requirements are met by their own CWE declarations. CWE Searchable: Yes - the EMC Product Security Policy guidance and compliance documents are searchable using CWE identifiers. CWE Documentation: Yes - All documents include a reference to CWE.mitre.org and describes the purpose and usage of CWE within the document.

Name: EMC Security Development Lifecycle (SDL)
Type: Enterprise Secure Development Lifecycle
CWE Coverage: No - the EMC Security Development Lifecycle is an internal processes which is not publicly available outside EMC/RSA. We occasionally share our CWE mappings with other 3rd-parties, such as tool vendors, to ensure our requirements are met by their own CWE declarations. CWE Searchable: Yes - the EMC Security Development Lifecycle guidance and compliance documents are searchable using CWE identifiers CWE Output: Yes - the EMC Security Development Lifecycle lists CWE identifiers as part of guidance documents and compliance requirements CWE Documentation: Yes - All documents include a reference to CWE.mitre.org and describes the purpose and usage of CWE within the document.

Name: EMC Vulnerability Response Policy (VRP)
Type: Enterprise Response Policy for Product Vulnerabilities
CWE Coverage: No - the EMC Vulnerability Response Policy is an internal process which is not publicly available outside EMC/RSA. We occassionally share our CWE mappings with other 3rd-parties, such as tool vendors, to ensure our requirements are met by their own CWE declarations. CWE Output: Yes - the EMC Vulnerability Response Policy analysis output is mapped to a CWE identifier CWE Searchable: Yes - the EMC Vulnerability Response Policy analysis documents, resulting from Vulnerability Response activities, can be searched by CWE identifier. CWE Documentation: Yes - All documents include a reference to CWE.mitre.org and describes the purpose and usage of CWE within the document.

Fortify Software	Date Declared: January 25, 2007

Web Site:

www.fortifysoftware.com

Quote/Declaration: Fortify has been a strong supporter of CWE since its inception and our Security Research Group contributes new vulnerabilities on an ongoing basis. We believe that a strong industry standard will empower the industry to become more effective at identifying and eliminating vulnerabilities in software and we design our tools to support the adoption of CWE among our customers.

Name: Fortify Source Code Analysis (SCA)
Type: Source Code Analysis Tool
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

GrammaTech, Inc.	Date Declared: March 13, 2007

Web Site:

www.grammatech.com

Quote/Declaration: GrammaTech's CodeSonar is a static analysis tool for finding programming flaws and security vulnerabilities in C/C++ code. The CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort.

Name: CodeSonar
Type: Static Analysis Tool
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

HP Application Security Center	Date Declared: February 05, 2007

Web Site:

http://www.hp.com/

Quote/Declaration: HP Application Security Center recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of Mitre to establish the CWE standard by ensuring CWE compatibility for all HP Application Security Center products and services. - Joe Yeager, Product Manager, HP Application Security Center

Name: HP Assessment Management Platform software
Type: Enterprise Platform for Managing a Web Application Security Assessment Program
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: HP DevInspect
Type: Web Application Security Assessment Tool for Developers
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: HP QAInspect software
Type: Web Application Security Assessment Tool for QA
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: HP SaaS for ASC
Type: Web Application Security Assessment and AMP delivered through Software-as-a-Service
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: HP WebInspect software
Type: Web Application Security Assessment Tool
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

IBM Rational	Date Declared: February 05, 2007

Web Site:

www-306.ibm.com/software/rational/

Name: Rational AppScan Build Edition
Type: Web Application Security Testing Tool For QA
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: Rational AppScan Developer Edition
Type: Embedded Build-Time Web Application Security Testing Tool
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: Rational AppScan Enterprise Edition
Type: Enterprise Web Application Security Assessment Tool
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: Rational AppScan Express Edition
Type: Web Application Security Assessment Tool
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: Rational AppScan Standard Edition
Type: Web Application Security Assessment Tool
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Name: Rational AppScan Tester Edition
Type: Development-Time Web Application Security Testing Tool
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Information-Technology Promotion Agency (IPA), Japan	Date Declared: October 3, 2008

Web Site:

www.ipa.go.jp/index-e.html

Quote/Declaration: IPA is including CWE vulnerability type information in JVN iPedia to enhance the quality of JVN iPedia and to strengthen international collaboration. Users can search vulnerability information by CWE-ID and software type. Developers can utilize CWE as a means to understand and prevent vulnerabilities.

Name: JVN iPedia
Type: Vulnerability Countermeasure Information Database
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

Name: MyJVN
Type: Filtered Vulnerability Countermeasure Information Tool
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

ISC2 The International Information Systems Security Certification Consortium	Date Declared: September 8, 2009

Web Site:

www.isc2.org

Quote/Declaration: (ISC)2® created the Certified Secure Software Lifecycle Professional (CSSLPCM) education and certification program with the assistance of individuals from organizations including The Department of Homeland Security, Microsoft, Cisco, Xerox, and Symantec. The CSSLP Education and Certification program assists organizations in building security initiatives throughout the software development lifecycle and establishes a baseline of competency for individuals and organizations committed to reducing application vulnerability much like CWE.

Name: Certification of Software Lifecycle Personnel
Type: Vulnerability Countermeasure Information Database
CWE Output: Yes CWE Searchable: Planned CWE Coverage: Planned

KDM Analytics	Date Declared: September 17, 2009

Web Site:

www.kdmanalytics.com

Quote/Declaration: KDM Analytics supports and uses CWE because it makes perfect sense to have vulnerability/weakness reporting standard.

Name: Software Assurance Assessment
Type: Software Assurance Assessment Service
CWE Output: Yes CWE Searchable: Yes CWE Documentation: Yes CWE Coverage: Planned

Klocwork, Inc.	Date Declared: February 05, 2007

Web Site:

www.klocwork.com

Name: Klocwork Enterprise Development Suite
Type: Assessment and Remediation Tool
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

LDRA	Date Declared: September 16, 2009

Web Site:

www.ldra.com

Quote/Declaration: LDRA has been a valuable contributor to the software security industry and its standardization process. The next step in this endeavor is establishing CWE compatibility and effectiveness as a top priority for the LDRA Tool Suite.

Name: LDRA Testbed
Type: Static and Dynamic Software Analysis Tool Suite
CWE Output: Planned CWE Searchable: Planned CWE Documentation: Planned CWE Coverage: Planned

Ounce Labs	Date Declared: January 25, 2007

Web Site:

www.ouncelabs.com

Quote/Declaration: Ounce Labs is a long-standing participant in the CWE initiative, and continues to support its efforts in developing a common platform from which existing and emerging vulnerabilities can be assessed across the broad security spectrum. Ounce is dedicated to customer success and enabling our customers to secure their business and mitigate risk today, so that they can continue to do business tomorrow.

Name: Ounce
Type: Static Source Code Analysis Tool
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

Parasoft Corporation	Date Declared: September 14, 2009

Web Site:

www.parasoft.com

Name: Jtest
Type: Java Software Quality Analysis and Testing Solution
CWE Output: Yes CWE Searchable: Yes CWE Documentation: Yes CWE Coverage: Planned

Programming Research, Inc.	Date Declared: September 17, 2009

Web Site:

www.programmingresearch.com

Quote/Declaration: PRQA is the leader in automated coding standards enforcement and defect prevention in C and C++ source code. Our support of CWE enhances our ability to close security vulnerabilities. We are committed to the safety and security of our client's source pools by supporting CWE on an ongoing basis.

Name: QA*C - CWE Compliance Module for C Programming Language
Type: Source Code Static Analysis Product Suite
CWE Output: Planned CWE Searchable: Planned CWE Documentation: Planned CWE Coverage: Planned

Name: QA*CPP - CWE Compliance Module for C++ Programming Language
Type: Source Code Static Analysis Product Suite
CWE Output: Planned CWE Searchable: Planned CWE Documentation: Planned CWE Coverage: Planned

SANS Institute	Date Declared: July 02, 2007

Web Site:

www.sans.org

Quote/Declaration: Working closely with CWE will help SANS ensure that questions for the Secure Programming Exams will have the broadest coverage for each language, at a level of detail that is appropriate for programmers. By monitoring additions to CWE, we will be able to stay up-to-date with the most recently discovered types of weaknesses, along with real-world CVE examples that show how these issues can manifest themselves. By using CWE identifiers, we can avoid the ambiguity in terminology that still exists, giving clear guidance to programmers about the mistakes that they must know how to avoid.

Name: Secure Programming Exams/Assessments
Type: Professional Secure Programming Examination
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

Security-Database	Date Declared: May 5, 2008

Web Site:

www.security-database.com

Quote/Declaration: CWE is great effort to empower organizations to better identify and eliminate programming flaws. Security-Database is pleased to support this initiative by supplying CWE information along with vulnerability information. We are also planning to ensure CWE compatibility with our next vulnerability management software.

Name: Security-Database Web Services
Type: Web Services
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

SecurityReason	Date Declared: October 13, 2008

Web Site:

www.securityreason.com

Quote/Declaration: Mapping vulnerabilities in SecurityAlert Database to the CWE standard will provide additional vulnerability details and give our costumers industry standard terminology and classification. We are pleased to support the CWE Initiative.

Name: SecurityAlert
Type: Web Application Security Risk Management Platform
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes

SkillBridge, LLC	Date Declared: January 11, 2008

Web Site:

www.skillbridgetraining.com

Quote/Declaration: SkillBridge is pursuing CWE compatibility for its Secure Programming training offerings to better incorporate industry standards and best practices into the solutions we provide to our client base.

Name: Secure Application Development Training Courses
Type: Instructor Led Training
CWE Output: Planned CWE Searchable: Planned CWE Coverage: Planned

SofCheck Inc.	Date Declared: March 02, 2007

Web Site:

www.sofcheck.com

Quote/Declaration: SofCheck Inspector is a new Static Analysis and fault detection Tool. It uses static control-flow, data-flow, and possible-value-set propagation techniques to identify places where run-time errors could occur. Since 50%+ of all Vulnerabilities instances result from errors in the application code this automated software quality technique allows vulnerabilities to be identified and eliminated very early in the software life cycle.

Name: SofCheck Inspector for Ada
Type: Static Analysis and Fault Detection Tool
CWE Output: Planned CWE Searchable: Yes CWE Coverage: Planned

Veracode, Inc.	Date Declared: February 05, 2007

Web Site:

www.veracode.com

Quote/Declaration: Veracode feels strongly that standards in naming and measurement are required to advance the state of software assurance. We have built our technology and service offering with CWE IDs as our base identifier as we feel our customers are best served by this industry standard naming scheme. We also look forward to completing the effectiveness phase as soon as possible so we can showcase our security analysis capabilities to potential customers without the requirement of time consuming evaluations.

Name: SecurityReview
Type: Assessment Service
CWE Output: Yes CWE Searchable: Yes CWE Coverage: Yes