Common Weakness Enumeration
Common Weakness Enumeration is a software community project that aims at creating a catalog of software weaknesses and vulnerabilities. The goal of the project is to better understand flaws in software and to create automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the National Cybersecurity FFRDC, which is owned by The MITRE Corporation.
CWE Compatibility
Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
| CWE Searchable | users may search security elements using CWE identifiers |
| CWE Output | security elements presented to users includes, or allows users to obtain, associated CWE identifiers |
| Mapping Accuracy | security elements accurately link to the appropriate CWE identifiers |
| CWE Documentation | capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used |
| CWE Coverage | for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software |
| CWE Test Results | for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site |
There are eleven organizations that develop and maintain products and services that achieved CWE Compatible status:
- Synopsys, Inc (previously Coverity) (Declared: September, 2009) [2]
- Fasoo (Declared: May, 2013)
- Sparrow
- CXSecurity (Declared: January 3, 2012)
- World Laboratory of Bugtraq (WLB) 2
- GrammaTech, Inc. (Declared: March 13, 2007)
- CodeSonar
- High-Tech Bridge SA (August 20, 2012)
- High-Tech Bridge Security Advisories
- ImmuniWeb
- IBM Security Systems (Declared: July 10, 2012)
- IBM Security AppScan Standard
- Klocwork, Inc. (Declared: February 5, 2007)
- Klocwork Insight
- Hewlett-Packard (February 5, 2007)
- HP Assessment Management Platform (ASP)
- HP DevInspect
- HP Fortify On Demand
- HP Fortify Real-Time Analyzer
- HP Fortify Software Security Center
- HP Fortify Static Code Analyzer
- HP QAInspect
- HP SaaS for ASC
- HP WebInspect
- National Institute of Standards and Technology (NIST) (Declared: March 2, 2012)
- Security-Database (Declared: May 5, 2008)
- Security-Database Web Services
- Veracode, Inc. (Declared: February 5, 2007)
- Veracode Analytics
See also
References
External links
- Project home page // MITRE
- List of organizations participating in CWE Compatibility Program // MITRE
- CWE Compatibility Program intro page // MITRE
- List of companies that provide a CWE Compatible program or service // MITRE
- Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort // 6 March 2007
- Classes of Vulnerabilities and Attacks // Wiley Handbook of Science and Technology for Homeland Security - comparison of different vulnerability Classifications