NOTICE: As of 4/16/2024, the CWE Compatibility Program has been discontinued. The product listings included in this section have been moved to "archive" status.
MOVING FORWARD: Please follow these CWE Compatibility Requirements to consider your product or service "CWE Compatible."
Archived:
|
CWE-Compatible Products and Services: 104
|
The products and services listed below have achieved the final stage of the CWE
Compatibility Program and are now "Officially CWE-Compatible." The organization's completed "CWE Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations Participating page as part of their product listings.
Compatible
Products are listed alphabetically by organization name:
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
| AbsInt Angewandte Informatik GmbH |
Date Declared:
Aug 18, 2018
|
Quote/Declaration: Astrée is a sound static analyzer capable of proving the absence of runtime errors and other programming defects in C code
as well as verifying the code's compliance to coding guidelines. We are pleased to support the efforts of MITRE by adding
CWE as a coding guideline that can be automatically checked and verified by Astrée.
Last Updated:
Oct 5, 2018
| AdaCore |
Date Declared:
Aug 20, 2015
|
Quote/Declaration: AdaCore has decades of experience providing tools and services to customers in industries with the most demanding requirements
for software safety, security and reliability. AdaCore technologies, such as SPARK Pro and CodePeer generate verifiable evidence
that the job is done right, beyond the usual "tested it lots". The Ada programming language has always placed an emphasis
on software quality and security by its very design. Our approach takes that further, with the most advanced compilers and
verification tools on the market. Through the Ada language and AdaCore tools, a number of the most dangerous SANS Top 25 CWE
can be detected and corrected early in the software development cycle before they become active vulnerabilities.
Last Updated:
Oct 9, 2018
| Ambionics Security |
Date Declared:
May 17, 2017
|
Last Updated:
Jun 12, 2018
| Anban Information Technology Co., Ltd |
Date Declared:
April 30, 2024
|
Last Updated:
Jun 3, 2024
| Anhui USTC-Guochuang High-Confidence Software Co.,Ltd |
Date Declared:
September 6, 2022
|
Last Updated:
Oct 20, 2022
| Beijing Anpro Information Technology Co. LTD |
Date Declared:
September 30, 2020
|
Last Updated:
Dec 4, 2023
| Beijing Beida Software Engineering Development Co., Ltd. |
Date Declared:
November 11, 2015
|
Quote/Declaration: COBOT focuses on detecting more and more bugs with high accuracy. The foundation of designing a good static analysis tool
is defect patterns. Therefore COBOT is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE
Compatibility for the development of our product.
Last Updated:
Apr 19, 2022
| Beijing Moyunsec Technology Co.,Ltd |
Date Declared:
February 28, 2022
|
Last Updated:
Mar 6, 2023
| Beijing RedRocket Technology Co., Ltd |
Date Declared:
September 22, 2021
|
Quote/Declaration: CWE is a famous general security vulnerability dictionary in the field of security. "CWE compatibility" is one of the important
symbols of software security products. We hope to make our own contribution in the field of code security. In addition, if
we successfully apply for CWE compatibility and effectiveness, our products will be favored by more users.
Last Updated:
Oct 8, 2021
| Beijing Vulinsight Technology Co., Ltd |
Date Declared:
March 18, 2024
|
Last Updated:
Apr 16, 2024
| Beijing ZHONGKE TIANQI Information Technology Co.,Ltd. |
Date Declared:
October 9, 2021
|
Last Updated:
Mar 1, 2022
| CAST |
Date Declared:
September 17, 2009
|
Quote/Declaration: CAST's mission for 18 years has been to enable IT organizations to manage
non-functional software risk, quality and measurement issues for better business
outcomes. CAST has always believed in an industry-led, standards-based approach to
ensure proper coverage. Along with ISO, SEI and de facto quality & measurement
standards, CAST views CWE as an important new contribution to the canon that can be
brought to bear on business issues.
Last Updated:
Dec 1, 2015
| Checkmarx |
Date Declared:
March 19, 2008
|
Quote/Declaration: Checkmarx is an enthusiastic supporter of CWE standards and best practices. The
combination of Checkmarx new generation Static Analysis Security Testing technology
for all major coding languages including mobile (Android/iOS) and localization to
various languages, together with CWE's industry leading standards, provides the
programming community a more secure and vulnerability free environment. Exposing
CWE's standards to our rapidly growing customer base, both in the U.S. and the rest
of the world, has proven to be effective in identifying vulnerabilities and
contributing to a more secure cyber world.
Last Updated:
Mar 15, 2023
| CodeForce(Beijing)Software Technology Co., Ltd |
Date Declared:
February 21, 2022
|
Last Updated:
Mar 1, 2022
| Conviso Application Security |
Date Declared:
April 12, 2013
|
Quote/Declaration: Because just finding bugs isn't enough!
Last Updated:
Sep 5, 2013
| Cr0security |
Date Declared:
December 11, 2013
|
Quote/Declaration: Cr0security focuses on software application security and professional security
services and supports the CWE standard.
— Yuda Prawira, COO and Founder, Cr0security
Last Updated:
Dec 11, 2013
| CXSecurity |
Date Declared:
January 3, 2012
|
| Cybellum |
Date Declared:
June 18, 2023
|
Quote/Declaration: Empowering security for a hyper-connected world, we proactively manage cyber risk and compliance from design to operational
use, keeping our products and customers secure today and into the future.
Last Updated:
Sep 13, 2023
| David A. Wheeler |
Date Declared:
Jul 25, 2014
|
Last Updated:
Jul 25, 2014
| Denim Group, Ltd |
Date Declared:
March 12, 2013
|
Quote/Declaration: ThreadFix is a software vulnerability aggregation and management solution that
imports results from static, dynamic, and manual software security testing tools,
providing a centralized view of defects across development projects. CWE is an
important and valuable initiative that will help ThreadFix users better understand
the security posture of their code.
| DerSecur Ltd. |
Date Declared:
June 7, 2022
|
Quote/Declaration: DerSecur provides system integration, software development and cybersecurity solutions & services by focusing on client’s
current needs and long-term strategy. DerSecur has a team of professionals, located in offices around the world. Our long-term
partner relationships with industry leaders cover B2B solutions and IT infrastructure.
Last Updated:
Jul 18, 2022
| Evenstar |
Date Declared:
January 15, 2016
|
Quote/Declaration: Our company offers the most up-to-date information on security and secure coding to customers, The CWE list of standardized
software vulnerabilities is to be consulted when developing software for providing security and quality enhancement.
|
Name:
BigLook
|
|
Type: Code verification tool for ensuring source code compliance with domestic and international code seucrity guidelines.
|
|
|
|
CWE Coverage:
Yes
CWE Output:
Yes
CWE Searchable:
Yes
|
|
Review Completed Questionnaire
|
Last Updated:
Apr 28, 2020
| GrammaTech, Inc. |
Date Declared:
March 13, 2007
|
Quote/Declaration: GrammaTech's CodeSonar is a static analysis tool for finding programming flaws
and security vulnerabilities in C/C++ code. CWE is an important and valuable
initiative that will help CodeSonar users understand the state of their code more
effectively. GrammaTech is pleased to participate in this effort.
| GTONE Co., Ltd. |
Date Declared:
Aug 20, 2015
|
Last Updated:
Aug 26, 2015
| GYSecurity Technology Co., Ltd |
Date Declared:
January 11, 2024
|
Last Updated:
Jan 22, 2024
| Hangzhou Huawei Cloud Computing Technologies Co., Ltd |
Date Declared:
August 23, 2022
|
Last Updated:
Nov 15, 2023
| High-Tech Bridge SA |
Date Declared:
August 20, 2012
|
Quote/Declaration: At High-Tech Bridge we strongly believe that CWE information security standard
makes security measurable and universal, from which customers, vendors and security
researchers benefit. We are grateful to the efforts of MITRE Corporation for
continuous CWE standard development and support.
Last Updated:
Jun 11, 2013
| IBM Security Systems |
Date Declared:
July 10, 2012
|
Quote/Declaration: IBM actively promotes, supports, and contributes to the emerging open systems
standards such as CVE that enable technology management software in the IBM Security
portfolio of intrusion detection, vulnerability assessment, end point management, and
security management components to inter-operate and share management information. We
know that open system standards are a critical step in this direction. We support CVE
as the first and the most complete naming convention for vulnerability mapping in the
industry and we are committed to using CVE within our product in a tightly integrated
fashion.
Last Updated:
Feb 25, 2014
| Imagix Corporation |
Date Declared:
Jun 12, 2018
|
Quote/Declaration: Through use of Imagix 4D's source and dataflow analysis and visualization, the Imagix CWE Checklist specifically identifies
and assesses over 200 CWE weaknesses. Particular focus is on weaknesses that can't be easily resolved through static analysis
alone. This guided code review supports C and C++, generating an audit trail and supporting repeated reviews across software
revisions.
Last Updated:
Apr 7, 2022
| IriusRisk |
Date Declared:
July 31, 2020
|
Quote/Declaration: Iriusrisk is a threat modeling tool with architectural diagramming capabilities and an adaptive questionnaire driven by an
expert system which guides the user through straight forward questions about the technical architecture, the planned features
and security context of the application. The questionnaire modifies itself in real-time based on the supplied answers. As
it learns more about the architecture, it asks more specific questions in order to accurately identify the inherent risks.
This questionnaire is 100% editable through our graphical rules editor, so that you can customise the questions to your environment
and common architectures.
Last Updated:
Sep 4, 2020
Quote/Declaration: Julia is a sound semantic static analyzer of Java bytecode. We consider CWE standard as the lingua franca to communicate what
capabilities our tool offers, to measure what it covers, and to compare our results with the ones of our competitors.
Last Updated:
Feb 8, 2017
| Kiuwan Software S.L |
Date Declared:
February 17, 2017
|
Quote/Declaration: Enterprise Software Analytics platform. Based on static code analysis, Kiuwan gathers evidence from application source code
to exploit them in a cloud (SaaS) platform at all levels to drive ALM decisions based on objective information. Application
security is a key aspect to measure and control to avoid associated risk. Kiuwan provides not only high level indicators of
application security, but all the detailed information of the found vulnerabilities with a clear mapping to CWE weaknesses,
so stakeholders in the application development life cycle can take the appropriate action to mitigate vulnerabilities and
associated risk.
Last Updated:
Jun 13, 2018
| Klocwork, Inc. |
Date Declared:
February 05, 2007
|
Quote/Declaration: We see CWE as an important collaboration between academia, government, and
industry to help mainstream the principles of secure coding. Klocwork is pleased to
contribute to this initiative and have made our source code analysis tools compliant
with the second level of the CWE Compatibility Program.
| LDRA |
Date Declared:
September 16, 2009
|
Quote/Declaration: LDRA has been a valuable contributor to the software security industry and its
standardization process. The next step in this endeavor is establishing CWE
compatibility and effectiveness as a top priority for the LDRA Tool Suite.
Last Updated:
Apr 28, 2020
| Lucent Sky Corporation |
Date Declared:
November 30, 2015
|
Last Updated:
Dec 6, 2015
| MathWorks, Inc. |
Date Declared:
January 15, 2014
|
Quote/Declaration: MathWorks has a long commitment to help its users creating more reliable
software. The MITRE initiative to establish a classification of software weaknesses
is in line with our support of developing reliable and high quality software. We are
pleased to support the CWE Compatibility Program with our Polyspace code verification
products.
Last Updated:
Aug 26, 2015
| Micro Focus Fortify |
Date Declared:
February 05, 2007
|
Quote/Declaration: Micro Focus Fortify recognizes the importance of establishing industry standard terminology and classification with regard
to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility
for all Micro Focus Application Security Center products and services.
— Scott Johnson, GM, Micro Focus Fortify
Last Updated:
Mar 27, 2020
| Naive Systems Ltd. |
Date Declared:
November 8, 2023
|
Last Updated:
Dec 4, 2023
| National Institute of Standards and Technology (NIST) |
Date Declared:
March 2, 2012
|
Quote/Declaration: The purpose of the Software Assurance Reference Dataset (SARD) is to provide a
public repository of test cases to measure the accuracy and breadth of software
assurance tools; to improve tools and techniques; and to increase adoption and use of
software tools, higher quality software. The CWE compatibility and effectiveness will
enhance the usability of SRD among software assurance tools and users.
Last Updated:
May 8, 2014
| Oversecured Inc |
Date Declared:
September 23, 2020
|
Quote/Declaration: A static SaaS-based vulnerability scanner for Android apps (APK files), supports apps written on Java and Kotlin. Allows integrations
into DevOps processes. Contains 90+ vulnerability categories.
Last Updated:
Nov 19, 2020
| Parasoft Corporation |
Date Declared:
September 14, 2009
|
Quote/Declaration: Parasoft enables development teams to build security into their applications by facilitating code-hardening practices based
on accepted industry standards.
Last Updated:
Jun 12, 2018
| Programming Research, Inc. |
Date Declared:
September 17, 2009
|
Quote/Declaration: PRQA is the leader in automated coding standards enforcement and defect prevention in C and C++ source code. Our support of
CWE enhances our ability to close security vulnerabilities. We are committed to the safety and security of our client's source
pools by supporting CWE on an ongoing basis.
Last Updated:
Nov 30, 2016
| QI-ANXIN Technology Group Inc. |
Date Declared:
December 29, 2022
|
Last Updated:
Feb 8, 2023
| Red Hat, Inc. |
Date Declared:
February 8, 2012
|
Quote/Declaration: Red Hat is engaged in CWE Compatibility for providing a common language for
discussing, identifying, and dealing with the causes of vulnerabilities in its
products as part of its assessment services, knowledge repositories, software
development practices, and education offerings.
Last Updated:
October 24, 2012
| School of Software, Tsinghua University |
Date Declared:
Jun 12, 2018
|
Last Updated:
Jun 12, 2018
| Security Reviewer |
Date Declared:
September 22, 2021
|
Quote/Declaration: To ensure accurate risk severity, Security Reviewer Suite correlates the results from across its multiple analyzers (SAST,
DAST, IAST, Software Composition Analysis and Firmware Analysis). This provides an accurate picture of your Application's
security and ensures development is addressing the most significant issues first.
Last Updated:
Oct 6, 2021
| Security-Database |
Date Declared:
May 5, 2008
|
Quote/Declaration: CWE is great effort to empower organizations to better identify and eliminate
programming flaws. Security-Database is pleased to support this initiative by
supplying CWE information along with vulnerability information. We are also planning
to ensure CWE compatibility with our next vulnerability management software.
Last Updated:
Mar 3, 2014
| SecZone |
Date Declared:
January 27, 2022
|
Last Updated:
Sep 13, 2023
| Shanghai Feiyu Technology Co.,Ltd. |
Date Declared:
August 12, 2022
|
Last Updated:
Sep 1, 2022
| Shenzhen Secidea Network Security Technology Co., Ltd |
Date Declared:
January 13, 2022
|
Quote/Declaration: Secidea is an application security company that focuses on making tools and platforms to help developers procedure high quality
software. Making our products compatible with CWE standard provides great benefits to the users of our products.
Last Updated:
Mar 1, 2022
| Soft4Soft Co., Ltd. |
Date Declared:
January 3, 2016
|
Last Updated:
Apr 28, 2020
| Software Security |
Date Declared:
March 16, 2023
|
Quote/Declaration: SoftSec SCA is an open source software governance tool that provides open source software asset identification (SBOM), security
risk analysis, license compliance detection, vulnerability alerts and open source software security management by leveraging
multiple detection technologies, an autonomous controllable analysis engine and a powerful security gene library to help enterprises
continuously reduce security, compliance and operational risks associated with open source software, and help enterprises
build a secure software supply chain system.
Last Updated:
Jun 30, 2023
| SonarSource SA |
Date Declared:
Aug 20, 2015
|
Quote/Declaration: The SonarQube platform is an open source, multi-language, extensible tool for Continuous Inspection of code quality. In combination
with the Java plugin, it offers full-featured code quality management for Java code. In combination with the C/C++ plugin,
it offers full-featured code quality management for C and C++ code. In combination with the Objective-C plugin, it offers
full-featured code quality management for Objective-C code.
Last Updated:
Aug 30, 2015
| Sparrow Co., Ltd. |
Date Declared:
August 8, 2012
|
Quote/Declaration: SPARROW is a source code analysis tool that has both semantic and syntactic analysis engines. SPARROW detects runtime errors,
security vulnerabilities, and coding convention violations in various programming languages (C/C++/Java/JSP/Android Java).
SparrowFasoo.com is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE Compatibility for
our product.
Last Updated:
Jun 21, 2018
| Suresoft Technologies Inc. |
Date Declared:
November 17, 2015
|
Last Updated:
Sep 19, 2019
| Suzhou Lengjingqicai Information Technology Co.,Ltd |
Date Declared:
September 6, 2022
|
Last Updated:
Oct 20, 2022
| Synopsys Inc. |
Date Declared:
September 10, 2009
|
Quote/Declaration: Synopsys helps organizations build high-quality, secure software faster.
Last Updated:
Sep 19, 2019
| ToolsWatch |
Date Declared:
Aug 20 2015
|
Quote/Declaration: ToolsWatch provides vFeed a fully aggregated, cross-linked and standardized Vulnerability Database based on CVE and industry
standards such as CWE, OVAL, CAPEC, CPE, CVSS etc. So we strongly believe the importance of the standardization efforts driven
by MITRE. Therefore, vFeed will definitely continue to support the CWE initiative and is pleased to ensure the CWE Compatibility
for its vFeed Vulnerability Database Community and all derived products and services.
Last Updated:
Apr 28, 2020
| TRINITYSOFT Co., Ltd |
Date Declared:
March 26, 2024
|
Last Updated:
Apr 16, 2024
| ValiantSec Technology Co.,Ltd |
Date Declared:
April 7, 2022
|
Last Updated:
Sep 13, 2023
| Vector Informatik GmbH |
Date Declared:
July 18, 2023
|
Quote/Declaration: We are in the process of adding support for CWE to the next release (2.1) of our product (PC-lint Plus) which we anticipate
being available by the end of 2023.
Last Updated:
Sep 13, 2023
| Veracode, Inc. |
Date Declared:
February 05, 2007
|
Quote/Declaration: We are pursuing CWE Compatibility because we believe in standards-based testing.
It benefits the customer community and advances progress in application security when
vendors adopt an industry standard. Doing so allows a common yardstick for
measurement regardless of the product or service used and allows true comparisons and
a common understanding of the problems affecting software applications.
Last Updated:
Oct 10, 2013
| WebLayers, Inc. |
Date Declared:
May 3, 2012
|
Quote/Declaration: WebLayers Center Java Security Library consists of policies that map to the CWE
standard and best practices. The policies provide a complete set of security specific
coding guidelines targeted at the Java programming language.
Last Updated:
April 5, 2013
