Name of Your Organization:
DerSecur Ltd.
Web Site:
https://dersecur.com/
Compatible Capability:
DerScanner
Capability home page:
https://derscanner.com/
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where your capability is made available to your customers and the public (required):
DerScanner is a powerful SAST tool available both as a service (SaaS) and on premise. It can be purchased directly from the DerScanner official website or via a contact form.
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
The most recent CWE content is listed both in the DerScanner UI and its User Guide. The easiest way to check it up is to expand side menu in the Rules & Sets section in the UI.
Figure 1 Map currency indication
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
We strive to keep up with the latest updates in OWASP Top 10 and CWE/SANS Top 25 lists. We currently support CWE List Version 4.6 and are planning to add future updates in a timely manner.
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
As of today, DerScanner does not provide the timeframe of expected updates to wide audiences.
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
The DerScanner User Guide will be attached as a separate PDF file. CWE compatibility details are covered in Section 4.3. CWE Compatibility. The User Guide can be downloaded from the About page of the Derscanner UI.
Figure 2 User Guide download button
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
The DerScanner User Guide will be attached as a separate PDF file. Details on using CWE identifiers to find security elements in the system are covered in Section 4.3. CWE Compatibility and in further detail, in sections linked in Section 4.3.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
The DerScanner User Guide will be attached as a separate PDF file. Details on matching security elements in the system with correspondent CWE identifiers are covered in Section 4.3. CWE Compatibility and in further detail, in sections linked in Section 4.3.
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
The User Guide supports search by keyword. The list of CWE-related items can be produced by using the search function.
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
The complete list of security elements in the system associated with CWE items can be produced via Rules & Sets tab of the UI.
The findings of an analysis performed by DerScanner are located on the Detailed Results tab of a project. To filter the findings by a specific CWE identifier, a user can use the search bar to put in that respective CWE item.
Figure 3 Filtering results by a CWE item
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
To produce a report in accordance with CWE/SANS Top 25, a user should select the corresponding option in the Vulnerability Classification drop-down list on the Export Report page of a project. The report will provide a short notice on the classification itself and its items, and a table with findings grouped by CWE identifiers.
Figure 4 Configuring report settings
Figure 5 Report. About CWE/SANS Top 25
Figure 6 Report. Detailed Results
Figure 7 Report. Vulnerability Entry
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
The comprehensive list of DerScanner security elements associated with CWE items can be derived from the Rules & Sets tab of the UI.
Figure 8 List of security elements associated with CWE items
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the tool is effective at locating in software (recommended):
DerScanner does not provide the CCR document with the CWE identifiers that DerScanner can locate in software.
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
The respective CWE identifiers (if any) are always listed for a single security element on the Detailed Results page of a DerScanner project.
Figure 9 Corresponding CWE items for a security element
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
DerScanner provides User and Administrator Guides in PDF format and Security Reports in PDF, CSV and DOCX formats (+ JSON and SARIF via API call).
The Guides support search by keyword. The list of CWE-related items can be produced by using the search function.
Search by keyword is also applicable to Security Reports in PDF, DOCX, JSON and SARIF, regardless of selected Vulnerability Classification method. To produce CWE-related security reports in CSV format, a respective Vulnerability Classification method should be selected.
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):
Every electronic document provides identifiers alongside with titles. Detailed description and links to the corresponding CWE online resources are provided for some documents.
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
See answer to <CR_A.2.1>.
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
See answer to <CR_A.2.6>.
GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>
Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):
See answer to <CR_B.3.1>.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Dan Chernov
Title: MSIS, CISSP, CISA DerScanner Producer
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CWE identifiers our capability reports, and those CWE identifiers are as specific as possible within the available CWE repository."
Name: Dan Chernov
Title: MSIS, CISSP, CISA DerScanner Producer
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Dan Chernov
Title: MSIS, CISSP, CISA DerScanner Producer
More information is available — Please edit the custom filter or select a different filter.
|
