Common Weakness Enumeration

Quote/Declaration: Astrée is a sound static analyzer capable of proving the absence of runtime errors and other programming defects in C code as well as verifying the code's compliance to coding guidelines. We are pleased to support the efforts of MITRE by adding CWE as a coding guideline that can be automatically checked and verified by Astrée.

Quote/Declaration: AdaCore has decades of experience providing tools and services to customers in industries with the most demanding requirements for software safety, security and reliability. AdaCore technologies, such as SPARK Pro and CodePeer generate verifiable evidence that the job is done right, beyond the usual "tested it lots". The Ada programming language has always placed an emphasis on software quality and security by its very design. Our approach takes that further, with the most advanced compilers and verification tools on the market. Through the Ada language and AdaCore tools, a number of the most dangerous SANS Top 25 CWE can be detected and corrected early in the software development cycle before they become active vulnerabilities.

Quote/Declaration: COBOT focuses on detecting more and more bugs with high accuracy. The foundation of designing a good static analysis tool is defect patterns. Therefore COBOT is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE Compatibility for the development of our product.

Quote/Declaration: CWE is a famous general security vulnerability dictionary in the field of security. "CWE compatibility" is one of the important symbols of software security products. We hope to make our own contribution in the field of code security. In addition, if we successfully apply for CWE compatibility and effectiveness, our products will be favored by more users.

Quote/Declaration: CAST's mission for 18 years has been to enable IT organizations to manage non-functional software risk, quality and measurement issues for better business outcomes. CAST has always believed in an industry-led, standards-based approach to ensure proper coverage. Along with ISO, SEI and de facto quality & measurement standards, CAST views CWE as an important new contribution to the canon that can be brought to bear on business issues.

Quote/Declaration: Checkmarx is an enthusiastic supporter of CWE standards and best practices. The combination of Checkmarx new generation Static Analysis Security Testing technology for all major coding languages including mobile (Android/iOS) and localization to various languages, together with CWE's industry leading standards, provides the programming community a more secure and vulnerability free environment. Exposing CWE's standards to our rapidly growing customer base, both in the U.S. and the rest of the world, has proven to be effective in identifying vulnerabilities and contributing to a more secure cyber world.

Quote/Declaration: Because just finding bugs isn't enough!

Quote/Declaration: Cr0security focuses on software application security and professional security services and supports the CWE standard.

Quote/Declaration: Empowering security for a hyper-connected world, we proactively manage cyber risk and compliance from design to operational use, keeping our products and customers secure today and into the future.

Quote/Declaration: ThreadFix is a software vulnerability aggregation and management solution that imports results from static, dynamic, and manual software security testing tools, providing a centralized view of defects across development projects. CWE is an important and valuable initiative that will help ThreadFix users better understand the security posture of their code.

Quote/Declaration: DerSecur provides system integration, software development and cybersecurity solutions & services by focusing on client’s current needs and long-term strategy. DerSecur has a team of professionals, located in offices around the world. Our long-term partner relationships with industry leaders cover B2B solutions and IT infrastructure.

Quote/Declaration: Our company offers the most up-to-date information on security and secure coding to customers, The CWE list of standardized software vulnerabilities is to be consulted when developing software for providing security and quality enhancement.

Quote/Declaration: GrammaTech's CodeSonar is a static analysis tool for finding programming flaws and security vulnerabilities in C/C++ code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort.

Quote/Declaration: At High-Tech Bridge we strongly believe that CWE information security standard makes security measurable and universal, from which customers, vendors and security researchers benefit. We are grateful to the efforts of MITRE Corporation for continuous CWE standard development and support.

Quote/Declaration: IBM actively promotes, supports, and contributes to the emerging open systems standards such as CVE that enable technology management software in the IBM Security portfolio of intrusion detection, vulnerability assessment, end point management, and security management components to inter-operate and share management information. We know that open system standards are a critical step in this direction. We support CVE as the first and the most complete naming convention for vulnerability mapping in the industry and we are committed to using CVE within our product in a tightly integrated fashion.

Quote/Declaration: Through use of Imagix 4D's source and dataflow analysis and visualization, the Imagix CWE Checklist specifically identifies and assesses over 200 CWE weaknesses. Particular focus is on weaknesses that can't be easily resolved through static analysis alone. This guided code review supports C and C++, generating an audit trail and supporting repeated reviews across software revisions.

Quote/Declaration: Iriusrisk is a threat modeling tool with architectural diagramming capabilities and an adaptive questionnaire driven by an expert system which guides the user through straight forward questions about the technical architecture, the planned features and security context of the application. The questionnaire modifies itself in real-time based on the supplied answers. As it learns more about the architecture, it asks more specific questions in order to accurately identify the inherent risks. This questionnaire is 100% editable through our graphical rules editor, so that you can customise the questions to your environment and common architectures.

Quote/Declaration: Julia is a sound semantic static analyzer of Java bytecode. We consider CWE standard as the lingua franca to communicate what capabilities our tool offers, to measure what it covers, and to compare our results with the ones of our competitors.

Quote/Declaration: Enterprise Software Analytics platform. Based on static code analysis, Kiuwan gathers evidence from application source code to exploit them in a cloud (SaaS) platform at all levels to drive ALM decisions based on objective information. Application security is a key aspect to measure and control to avoid associated risk. Kiuwan provides not only high level indicators of application security, but all the detailed information of the found vulnerabilities with a clear mapping to CWE weaknesses, so stakeholders in the application development life cycle can take the appropriate action to mitigate vulnerabilities and associated risk.

Quote/Declaration: We see CWE as an important collaboration between academia, government, and industry to help mainstream the principles of secure coding. Klocwork is pleased to contribute to this initiative and have made our source code analysis tools compliant with the second level of the CWE Compatibility Program.

Quote/Declaration: LDRA has been a valuable contributor to the software security industry and its standardization process. The next step in this endeavor is establishing CWE compatibility and effectiveness as a top priority for the LDRA Tool Suite.

Quote/Declaration: MathWorks has a long commitment to help its users creating more reliable software. The MITRE initiative to establish a classification of software weaknesses is in line with our support of developing reliable and high quality software. We are pleased to support the CWE Compatibility Program with our Polyspace code verification products.

Quote/Declaration: Micro Focus Fortify recognizes the importance of establishing industry standard terminology and classification with regard to weaknesses in software and is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE compatibility for all Micro Focus Application Security Center products and services.

Quote/Declaration: The purpose of the Software Assurance Reference Dataset (SARD) is to provide a public repository of test cases to measure the accuracy and breadth of software assurance tools; to improve tools and techniques; and to increase adoption and use of software tools, higher quality software. The CWE compatibility and effectiveness will enhance the usability of SRD among software assurance tools and users.

Quote/Declaration: A static SaaS-based vulnerability scanner for Android apps (APK files), supports apps written on Java and Kotlin. Allows integrations into DevOps processes. Contains 90+ vulnerability categories.

Quote/Declaration: Parasoft enables development teams to build security into their applications by facilitating code-hardening practices based on accepted industry standards.

Quote/Declaration: PRQA is the leader in automated coding standards enforcement and defect prevention in C and C++ source code. Our support of CWE enhances our ability to close security vulnerabilities. We are committed to the safety and security of our client's source pools by supporting CWE on an ongoing basis.

Quote/Declaration: Red Hat is engaged in CWE Compatibility for providing a common language for discussing, identifying, and dealing with the causes of vulnerabilities in its products as part of its assessment services, knowledge repositories, software development practices, and education offerings.

Quote/Declaration: To ensure accurate risk severity, Security Reviewer Suite correlates the results from across its multiple analyzers (SAST, DAST, IAST, Software Composition Analysis and Firmware Analysis). This provides an accurate picture of your Application's security and ensures development is addressing the most significant issues first.

Quote/Declaration: CWE is great effort to empower organizations to better identify and eliminate programming flaws. Security-Database is pleased to support this initiative by supplying CWE information along with vulnerability information. We are also planning to ensure CWE compatibility with our next vulnerability management software.

Quote/Declaration: Secidea is an application security company that focuses on making tools and platforms to help developers procedure high quality software. Making our products compatible with CWE standard provides great benefits to the users of our products.

Quote/Declaration: SoftSec SCA is an open source software governance tool that provides open source software asset identification (SBOM), security risk analysis, license compliance detection, vulnerability alerts and open source software security management by leveraging multiple detection technologies, an autonomous controllable analysis engine and a powerful security gene library to help enterprises continuously reduce security, compliance and operational risks associated with open source software, and help enterprises build a secure software supply chain system.

Quote/Declaration: The SonarQube platform is an open source, multi-language, extensible tool for Continuous Inspection of code quality. In combination with the Java plugin, it offers full-featured code quality management for Java code. In combination with the C/C++ plugin, it offers full-featured code quality management for C and C++ code. In combination with the Objective-C plugin, it offers full-featured code quality management for Objective-C code.

Quote/Declaration: SPARROW is a source code analysis tool that has both semantic and syntactic analysis engines. SPARROW detects runtime errors, security vulnerabilities, and coding convention violations in various programming languages (C/C++/Java/JSP/Android Java). SparrowFasoo.com is pleased to support the efforts of MITRE to establish the CWE standard by ensuring CWE Compatibility for our product.

Quote/Declaration: Synopsys helps organizations build high-quality, secure software faster.

Quote/Declaration: ToolsWatch provides vFeed a fully aggregated, cross-linked and standardized Vulnerability Database based on CVE and industry standards such as CWE, OVAL, CAPEC, CPE, CVSS etc. So we strongly believe the importance of the standardization efforts driven by MITRE. Therefore, vFeed will definitely continue to support the CWE initiative and is pleased to ensure the CWE Compatibility for its vFeed Vulnerability Database Community and all derived products and services.

Quote/Declaration: We are in the process of adding support for CWE to the next release (2.1) of our product (PC-lint Plus) which we anticipate being available by the end of 2023.

Quote/Declaration: We are pursuing CWE Compatibility because we believe in standards-based testing. It benefits the customer community and advances progress in application security when vendors adopt an industry standard. Doing so allows a common yardstick for measurement regardless of the product or service used and allows true comparisons and a common understanding of the problems affecting software applications.

Quote/Declaration: WebLayers Center Java Security Library consists of policies that map to the CWE standard and best practices. The policies provide a complete set of security specific coding guidelines targeted at the Java programming language.